If you must use NSSM, migrate to version 2.24 . Better yet, use a maintained alternative like WinSW with XML configuration files that support integrity checks.
– Configure NSSM services to run as a managed service account (gMSA) instead of LOCAL SYSTEM.
: Ensure the directory containing nssm.exe is only writable by Administrators or the TrustedInstaller . nssm-2.24 privilege escalation
. Because NSSM is an executable used to wrap other applications as services, it is a high-value target for attackers who have already gained a foothold on a system. Primary Escalation Vectors
The directory where the nssm.exe binary or the target application executable resides has "Modify" or "Full Control" permissions granted to "Authenticated Users" or "Everyone." If you must use NSSM, migrate to version 2
: An attacker gains initial access to a Windows system as a standard, non-administrative user.
: The attacker replaces the legitimate nssm.exe or the underlying script/executable with a malicious payload (e.g., a reverse shell executable). : Ensure the directory containing nssm
Later versions of NSSM (2.24.1, 2.25, and above) introduced critical safeguards:
The attacker runs a command to list all services and their paths, looking for unquoted paths containing spaces. powershell
sc config <service_name> binPath= "C:\temp\malware.exe"
This article explores the technical details of the NSSM 2.24 privilege escalation, how it is exploited, and, more importantly, how to secure systems against it. What is the NSSM 2.24 Privilege Escalation?