Nssm-2.24 Privilege: Escalation

Or via registry (if direct sc fails):

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" | findstr /i "nssm"

While unquoted paths are a generic Windows issue, many older installation scripts, wrappers, and tutorials used NSSM 2.24 without enforcing proper quoting. The prevalence of this version in legacy systems, and its frequent usage in automating service creation, made it a common vector in penetration tests and real-world attacks. Mitigation and Defense Strategies nssm-2.24 privilege escalation

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

A key issue with NSSM 2.24 is its reliance on configuration files (often stored in the registry) and the potential for misconfigured permissions on the service wrapper itself. While NSSM is designed to handle services, it doesn't automatically secure the paths of the applications it launches. Or via registry (if direct sc fails): reg

The contractor replaces monitor.exe with a reverse shell payload compiled as a Windows service executable. Upon the next scheduled restart (or triggered manually), the shell pops back as NT AUTHORITY\SYSTEM , giving the attacker full control over the domain controller if the service runs there.

net stop ElevationTest net start ElevationTest This link or copies made by others cannot be deleted

To prevent privilege escalation when using NSSM, you should follow these security best practices:

NSSM 2.24 is a textbook example of how a small oversight in a utility tool can lead to a full domain compromise. The privilege escalation vector is trivial to exploit yet devastating in impact. While the maintainers fixed the issue years ago, the software supply chain is messy.