Privilege Escalation - Nssm-2.24

Before diving into the specific vulnerabilities, it is essential to understand what NSSM does and why it creates an attractive target for attackers. NSSM acts as a service wrapper that injects complete Windows service lifecycle management capabilities into ordinary executable programs without requiring code modification. When the service starts, the NSSM process takes control and runs the target executable with specified user contexts—often LocalSystem, NetworkService, or custom domain accounts. It monitors the process, restarts it upon failure, and forwards control requests from the Service Control Manager (SCM).

: While NSSM development is infrequent, ensure you are using the most stable version and auditing the service creation process for common Windows misconfigurations. nssm-2.24 privilege escalation

Once an attacker gains LocalSystem privileges, they have complete control over the compromised host. This includes the ability to read, modify, and delete any file; install software and drivers; create and modify user accounts; disable security controls; and tamper with audit logs. Before diving into the specific vulnerabilities, it is

$ icacls nssm.exe nssm.exe Everyone:(I)(F) # <-- Full control for Everyone! It monitors the process, restarts it upon failure,

If you are defending an enterprise network, look for the following indicators of compromise (IoCs):

Summary

Ensure that the directory containing nssm.exe and the application binaries it manages are only writable by Administrators ( System or Administrators group). Low-privileged users should have only Read & Execute permissions.