Skip to main content
Cerca
Cerca

Nssm-2.24 Privilege Escalation -

When the service restarts, Windows may interpret the path as: C:\Program.exe with arguments Files\App\nssm.exe .

Are you looking to found in an audit?

: A feature that allows administrators to register a SHA-256 hash of the legitimate application executable. NSSM would verify this hash before every launch; if the binary has been replaced (a common privilege escalation tactic), NSSM would refuse to start the service.

The attacker stops and restarts the service (if they have SERVICE_START and SERVICE_STOP rights) or waits for a system reboot: nssm-2.24 privilege escalation

Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include:

: NSSM stores its service parameters in the Registry. If the permissions on these Registry keys are too loose, a user can modify the AppParameters or Application string to execute a different command when the service starts.

Create a SIEM alert for:

Because nssm.exe requires administrative access to manage background tasks, it almost always executes within the highly privileged LocalSystem context. If a third-party software package bundles NSSM 2.24 and handles directory access control lists (ACLs) or path definitions poorly, a low-privileged local user can manipulate the execution flow to hijack that LocalSystem privilege.

: None (Can be done entirely quietly in the background). 💻 Step-by-Step Exploitation Mechanics

If a low-privilege user has write access to these registry keys, they can change the Application or AppParameters values. By pointing the service to cmd.exe , an attacker can execute commands as SYSTEM the next time the service initializes. How the Escalation is Exploited (Proof of Concept) When the service restarts, Windows may interpret the

nssm version

The risk is too high for any environment with multiple users or exposure to untrusted code. The convenience of NSSM does not outweigh the privilege escalation threat. Even if you "trust" your users, malware running as a user can rapidly abuse NSSM to gain SYSTEM.

If the output shows (M) (Modify) or (F) (Full Control) for BUILTIN\Users or NT AUTHORITY\Authenticated Users , the directory is unsafe. 3. Executing the Escalation NSSM would verify this hash before every launch;

Attackers who establish an initial foothold as a low-privileged local user leverage these structural flaws to hijack the service execution chain. This allows them to run malicious code under the context of NT AUTHORITY\SYSTEM —effectively gaining full, unrestricted administrative control over the machine. Anatomy of NSSM 2.24 Security Vulnerabilities