Nssm-2.24 — Privilege Escalation

To understand the privilege escalation vector, it is essential to look at how NSSM bridges the gap between interactive applications and the Windows Service Control Manager (SCM).

: Used nssm-2.24 to create malicious services (like sysmon ) to launch tunneling tools like Ngrok. nssm-2.24 privilege escalation

The attacker changes the path pointing to the legitimate application to point instead to C:\Windows\System32\cmd.exe or a custom payload. Upon the next service invocation, the system executes the attacker's command with SYSTEM privileges. Step-by-Step Exploitation Scenario To understand the privilege escalation vector, it is

Version 2.24, released back in August 2014, is still regarded as the "latest stable version" on the official website and remains in active use across countless systems. Organizations that adopted NSSM early on have built entire automation pipelines around it. Its popularity has led to it being bundled into complex software suites, such as Phoenix Contact’s Device and Update Management, IBM Robotic Process Automation, and Wowza Streaming Engine, all of which inherit any security flaws present in NSSM. Upon the next service invocation, the system executes

Under this key, NSSM defines values like Application , AppDirectory , and AppParameters .

If you'd like, I can provide a of a specific exploit or help you check your own system for these misconfigurations. Which would you prefer? Bugs - NSSM - the Non-Sucking Service Manager

Or check the registry directly: