NSSM (Non-Sucking Service Manager) has long been a staple for system administrators and developers on the Windows platform. Versions like 2.24, released in the mid-2010s, are celebrated for their ability to turn any executable into a Windows service quickly. However, beneath its utilitarian veneer lies a dangerous attack vector: privilege escalation.
Check the permissions on the registry keys where NSSM stores its parameters. Ensure that standard users cannot modify keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\. 3. Use Service Accounts nssm-2.24 privilege escalation
NSSM is convenient but dangerous if misconfigured. Always assume that a service running as SYSTEM with writable configuration is a local privilege escalation vector. Audit your endpoints, and don’t let convenience override security. NSSM-2
: Windows will attempt to find and execute files along the path in order. For example, it might try to run C:\Program.exe C:\Program Files\Service Name\nssm.exe )
Mitigation and Recommendations
The primary method for escalating privileges via NSSM 2.24 involves unquoted service paths. If an administrator installs a service using NSSM and the path to the executable contains spaces but no quotation marks (e.g., C:\Program Files\Service Name\nssm.exe), Windows will search for and attempt to execute files in the following order: C:\Program.exe C:\Program Files\Service.exe C:\Program Files\Service Name\nssm.exe