This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
Grant that account only the explicit permissions it needs to perform its specific task. 3. Implement Endpoint Detection and Response (EDR)
For instance, if nssm.exe installs a service with the path: C:\Program Files\App Folder\nssm.exe Windows may try to interpret this sequentially: C:\Program.exe (with args Files\App Folder\nssm.exe ) C:\Program Files\App.exe (with args Folder\nssm.exe ) C:\Program Files\App Folder\nssm.exe 2. The Exploitation Mechanism
Often, the issue is not just the unquoted path, but that the nssm.exe executable itself resides in a directory where standard users have write permissions, allowing them to replace the legitimate nssm.exe wrapper with a malicious one. 2. Abusing AppParameters nssm224 privilege escalation updated
If an administrator misconfigures the registry ACLs—granting write access to non-administrative users on the service's subkeys—an attacker can change the Application value to point to C:\Windows\System32\cmd.exe or a custom backdoor.
nssm install UpdaterService "%temp%\update.exe" --silent nssm set UpdaterService AppParameters "/c whoami > C:\ProgramData\out.txt" nssm start UpdaterService
This content is for educational and defensive security purposes only. Unauthorized exploitation of privilege escalation vulnerabilities is illegal. This public link is valid for 7 days
For penetration testers: Always check for NSSM 2.24. For defenders: Treat any instance of NSSM as a potential backdoor unless its entire folder structure and registry keys are locked down tighter than a standard Windows service.
sc config "MyService" binPath= "\"C:\Program Files\nssm\nssm.exe\" MyService" Use code with caution. 4. Monitor and Detect
If the service security descriptor allows standard users the SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS permission, an attacker does not even need to touch the registry directly. They can use native Windows tools to reconfigure the binary path of the service wrapper itself. 3. Step-by-Step Exploitation Walkthrough Can’t copy the link right now
If you have permission to restart the service, do so. If not, wait for a system reboot. sc stop sc start Use code with caution. Copied to clipboard
Ensure that only administrators and the system account have write access to service registry keys. Low-privilege users should only have read access.
Privilege escalation via NSSM typically occurs when an attacker gains low-privilege access to a machine and identifies a service managed by NSSM that is misconfigured.