Restrict access to the registry keys used by NSSM. Standard users should never be allowed to modify keys under: HKLM\SYSTEM\CurrentControlSet\Services\
Privilege escalation occurs when an attacker exploits a security weakness to gain higher-level permissions than they were originally assigned. In the context of NSSM, this typically involves , where a standard user gains administrator or NT AUTHORITY\SYSTEM access. Common Exploitation Vectors
Alternatively, if the registry parameters are writable, they modify the NSSM application path:
Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Select Name, PathName, StartName nssm224 privilege escalation updated
in several recent security advisories, typically due to improper file system permissions on the binary within third-party installers. Phoenix Contact The "Create a Feature" Exploit Mechanism
Audit registry permissions to ensure low-privileged users cannot modify service definitions or NSSM parameters.
Threat actors continue to use NSSM 2.24 as a tool for persistence. For example, the ELENOR-corp ransomware Restrict access to the registry keys used by NSSM
Understanding NSSM-224: Local Privilege Escalation via Windows Service Manipulation
If you are managing Windows environments, here is the updated breakdown of how these vulnerabilities work and how to lock them down. 1. The Core Vulnerability: Weak File Permissions The most common way
Ensure that standard users ( BUILTIN\Users , Everyone , Authenticated Users ) only have and Execute permissions. Comprehensive Mitigations and Remediation
# Start or restart the nssm service to execute the payload net start nssm
Track modifications to the Parameters\Application subkeys. Standard operations rarely modify these keys post-installation. 5. Comprehensive Mitigations and Remediation