Controllable parameters or configuration files
Disclaimer: This post is for educational and defensive purposes only. Unauthorized access to systems is illegal.
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /f "ImagePath" | findstr /i "nssm"
Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards: nssm-2.24 privilege escalation
: An attacker with low-level access replaces the nssm.exe binary with a malicious file (e.g., a reverse shell). Because NSSM usually runs as the LocalSystem account, the next time the service restarts, the attacker's code executes with full administrative power. Unquoted Service Paths :
The malicious Program.exe runs with elevated SYSTEM privileges. 2. Service Path Interception (Weak Permissions)
A service is configured to run: C:\Program Files\App\nssm.exe Because NSSM usually runs as the LocalSystem account,
If a service is installed with a path like C:\Program Files\My App\nssm.exe , and it is not properly quoted, Windows attempts to execute the path in the following order: C:\Program.exe (with args: Files\My App\nssm.exe ) C:\Program Files\My.exe (with args: App\nssm.exe ) C:\Program Files\My App\nssm.exe
refers to a class of local privilege escalation (LPE) vulnerabilities that occur when the Non-Sucking Service Manager (NSSM) v2.24 binary or its configuration is poorly secured within a Windows environment . NSSM is a widely trusted, open-source utility that allows administrators to wrap any script, command, or standard executable into a resilient Windows background service. However, because NSSM services typically execute with administrative or NT AUTHORITY\SYSTEM privileges, any misconfiguration or insecure permission set tied to the nssm.exe executable instantly turns the utility into a high-impact vector for local privilege escalation. The Core Concept: How NSSM Works
# Find NSSM services Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName Service Path Interception (Weak Permissions) A service is
Standard users should only have Read and Execute permissions.
Look for nssm.exe in the path or the Parameters\Application registry key.
In a locked-down environment, the user cannot start the service themselves. However, an attacker can simply wait for the server to reboot (or trigger a crash/reboot via another vector), at which point the service starts automatically.
The Non-Sucking Service Manager (NSSM) is a lightweight, open-source utility designed to simplify the creation and management of Windows services. Unlike Microsoft's built-in sc command or legacy tools like srvany , NSSM offers a more robust solution, automatically handling restarts for crashed applications and providing detailed logging. It is particularly favored by developers and system administrators for wrapping any standard executable (console apps, scripts, Java JARs, Node.js servers) into a fully-fledged Windows service.
: Ensure the directory containing nssm.exe is only writable by high-privilege accounts.