Nssm224 Privilege Escalation Updated -

net stop [ServiceName] && net start [ServiceName]

NSSM stores its configuration parameters (like the Application path) in the Windows Registry under: HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters

Implement file integrity monitoring (FIM) on critical directories where NSSM is installed. Alerts on modifications to nssm.exe can provide early warning of an attempted privilege escalation. Solutions such as Microsoft Defender for Endpoint, Sysmon (Event ID 11 for file creation), or third‑party EDR tools can detect and block unauthorized file replacements. nssm224 privilege escalation updated

If low-privileged users have permissions to modify this registry key, they can change the Application string value to point to cmd.exe or a custom payload. Step-by-Step Exploitation Walkthrough

Administrators should regularly audit services. You can use the following PowerShell command to identify unquoted services: powershell net stop [ServiceName] && net start [ServiceName] NSSM

file for a malicious one (e.g., a reverse shell) and wait for a system reboot or service crash. National Institute of Standards and Technology (.gov) 🛠️ Mitigation and Remediation

Auditing should be enabled to track changes made to service directories. 2. Secure the Windows Registry If low-privileged users have permissions to modify this

If your environment utilizes NSSM 2.24, immediate action is recommended to secure service binaries: Audit Permissions: Ensure that only Administrators

copy /y c:\Temp\reverse_shell.exe "C:\Program Files\Vendor Software\nssm.exe"

A low-privileged, authenticated user replaces the legitimate application binary with a malicious payload (or a renamed copy of cmd.exe ). Because the Windows service runs in the background as SYSTEM , restarting the service or the machine grants the attacker full administrative control. 2. Methodology: Exploiting NSSM 2.24