An attacker changes the Application string value within the registry to point to a malicious payload (e.g., cmd.exe or a reverse shell). When the service cycles, the payload runs as SYSTEM . 3. Unquoted Service Paths
This grants full control only to SYSTEM and Administrators.
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object $_.PathName -like "*nssm*" Use code with caution. Step 2: Check Directory Permissions
Auditing should be enabled to track changes made to service directories. 2. Secure the Windows Registry nssm224 privilege escalation updated
Note: If the low-privileged user does not have permission to restart the service directly, they can wait for a system reboot or trigger an administrative action that forces a service restart. Updated Mitigations for Modern Environments
nssm install MyService ""C:\Program Files\MyApp\run.bat""
icacls "C:\path\to\nssm.exe" /reset icacls "C:\path\to\nssm.exe" /inheritance:r icacls "C:\path\to\nssm.exe" /grant:r "SYSTEM:(F)" icacls "C:\path\to\nssm.exe" /grant:r "Administrators:(F)" icacls "C:\path\to\nssm.exe" /grant:r "Users:(RX)" An attacker changes the Application string value within
When Windows attempts to start a service, it parses the binary path in the registry. If a path contains spaces and lacks quotes, Windows interprets the spaces as command-line arguments rather than part of the path.
If the directory containing the target executable (or the NSSM.exe binary itself) has weak Access Control Lists (ACLs), a low-privileged user can modify or replace the binary.
: Tools like ChainReactor or ALFA-Chains use AI planning to automatically find sequences of minor misconfigurations (like insecure NSSM services) that lead to full root access. Unquoted Service Paths This grants full control only
Privilege escalation via NSSM usually stems from three main vectors: , Registry Permission Overwrite , and Unquoted Service Paths . 1. Weak File Permissions (Insecure Binaries)
: Version 2.24 has known bugs, including potential crash loops when run without administrator rights . Pre-release versions like 2.25 address several stability and privilege handling issues .