Nssm-2.24 Privilege Escalation ✦ Secure

Understanding and Mitigating NSSM 2.24 Privilege Escalation Vulnerabilities

: It may fail to launch services on newer Windows versions (Windows 10 Creators Update/Server 2016+) unless specific registry keys like AppNoConsole=1 are set. Summary Table: NSSM 2.24 Security Profile Status/Risk Recommendation Primary Vulnerability Unquoted Service Path Always wrap paths in double quotes in the registry. Account Privileges Runs as SYSTEM by default Use a low-privilege Service Account whenever possible. Stability Known crashes on XP and Nano Server Upgrade to the latest pre-release or stable build. Permissions Weak folder ACLs lead to LPE Restrict write access to Administrators and SYSTEM only. Mitigation & Recommendations To secure an environment using NSSM 2.24, you should:

When administrators install NSSM, they frequently place the nssm.exe binary or the application it manages into directories with weak Access Control Lists (ACLs). The Attack Mechanism

on a specific service directory.

Blue teams can detect exploitation attempts via:

Windows Privilege Escalation — Part 1 (Unquoted Service Path)

: NSSM 2.24 may enter a crash and restart loop if run without administrator rights when privilege elevation is required, potentially leading to a Denial of Service (DoS) . nssm-2.24 privilege escalation

When a service is registered via NSSM, the SCM does not call the target payload directly. Instead, it executes nssm.exe , passing parameters that point to the underlying application. NSSM then monitors the application, ensuring it restarts automatically if it crashes. Because nssm.exe acts as the primary parent process, it must inherit the security context designated by the SCM (often LocalSystem ). Architectural Vulnerabilities in NSSM 2.24 Implementations

Consider a scenario where a third-party application uses NSSM 2.24 to run a background service.

or the binary it launches with a malicious executable. When the service restarts (or the system reboots), the malicious code runs with privileges. Notable Examples IBM Robotic Process Automation Understanding and Mitigating NSSM 2

The Non-Sucking Service Manager (NSSM) is a popular, open-source utility designed to run native Windows applications as services. Because it excels at handling applications that aren't natively designed to run in the background, it is frequently used by system administrators and software developers.

accesschk.exe -accepteula -uvwqk "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService"

If a service named LegacyApp exists and is managed by NSSM 2.24, the attacker can simply modify its parameters without needing admin rights (due to the broken ACL or design flaw in that version): Stability Known crashes on XP and Nano Server

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.

sc query state= all | findstr "SERVICE_NAME"