Nssm-2.24 Privilege Escalation 2021 -

The attacker waits for a reboot or uses wmic service to attempt a restart if they have the rights to do so. How to Mitigate NSSM-2.24 Risks

When a standard user is tricked or coerced into running NSSM 2.24 (perhaps via a phishing attack or a malicious script on a shared terminal server), the tool does not properly validate the executable path and arguments before the service starts.

NSSM allows users to install a service by specifying an application path (e.g., nssm install ServiceName "C:\Path\To\App.exe" ). While NSSM attempts to validate the executable, version 2.24 contains logic flaws regarding how it handles the executable path and command-line arguments passed to the Windows Service Control Manager (SCM). nssm-2.24 privilege escalation

This allows an unprivileged user to:

Check HKLM\System\CurrentControlSet\Services\[ServiceName] to ensure permissions are restricted to Administrators and SYSTEM. The attacker waits for a reboot or uses

Securing systems against NSSM 2.24 privilege escalation requires fixing the service configuration. 1. Fix the Service Path (Immediate Action)

The most common exploit vector against NSSM 2.24 is the vulnerability, which is a classic Windows misconfiguration. A. The Mechanism While NSSM attempts to validate the executable, version 2

The absolute path to nssm.exe and the application binary it wraps must be strictly protected. Restrict write/modify access to standard users.

A tester first identifies services running with NSSM. This is often done by checking the service list or searching for the nssm.exe binary. Command: tasklist /svc or Get-Service 2. Checking Permissions