# Find NSSM services Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName
If the permissions on the folder where nssm.exe or its managed application resides are weak (e.g., BUILTIN\Users has Modify or Write permissions), an attacker can replace the legitimate binary with a malicious one. Since NSSM is designed to restart services if they crash, an attacker can simply kill the process and wait for NSSM to restart their malicious version. 3. Known Bugs in v2.24
Avoid running services under the LocalSystem account whenever possible. Configure services to run under dedicated low-privilege service accounts with only the minimum permissions necessary for the application to function. nssm-2.24 privilege escalation
NSSM operates by acting as a wrapper. When you register a service using NSSM, Windows actually starts nssm.exe . In turn, NSSM reads configuration parameters from the Windows Registry to determine which actual executable, arguments, and I/O redirection to spin up.
sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService" Known Bugs in v2
icacls "C:\YourServiceFolder" /inheritance:d icacls "C:\YourServiceFolder" /grant:r Administrators:(OI)(CI)F /grant:r SYSTEM:(OI)(CI)F Use code with caution. 2. Upgrade or Replace NSSM
: NSSM 2.24 may enter a crash and restart loop if run without administrator rights when privilege elevation is required, potentially leading to a Denial of Service (DoS) . When you register a service using NSSM, Windows
While NSSM 2.24 is not vulnerable to the classic unquoted service path in its own code, it creates services that are. If an administrator uses NSSM to install a service with a path like C:\Program Files\MyApp\app.exe , and C:\Program Files\MyApp is writable by a non-admin user, an attacker can replace app.exe with a malicious binary.
This article is intended for security professionals and system administrators for defensive purposes only. Understanding attack techniques is essential for implementing effective defenses. Always ensure you have proper authorization before testing security vulnerabilities and adhere to responsible disclosure practices.