– Configure NSSM services to run as a managed service account (gMSA) instead of LOCAL SYSTEM.
While the 2.24-release era is the most discussed regarding these configurations, always ensure you are using the most stable, updated version of your tools. Furthermore, use tools to monitor for suspicious service modifications or unexpected child processes spawning from nssm.exe . Conclusion nssm-2.24 privilege escalation
While NSSM 2.24 is not vulnerable to the classic unquoted service path in its own code, it creates services that are. If an administrator uses NSSM to install a service with a path like C:\Program Files\MyApp\app.exe , and C:\Program Files\MyApp is writable by a non-admin user, an attacker can replace app.exe with a malicious binary. – Configure NSSM services to run as a
An attacker generally follows these steps to exploit a misconfigured NSSM instance: Conclusion While NSSM 2
: An attacker could exploit this vulnerability by creating or modifying a service configuration in a way that NSSM would execute a command or load a DLL with elevated privileges. This could be achieved through specially crafted service definitions that are then processed by NSSM.
If a service named LegacyApp exists and is managed by NSSM 2.24, the attacker can simply modify its parameters without needing admin rights (due to the broken ACL or design flaw in that version):
Or, if using NSSM directly: