Use icacls to check if the service directory is writable. powershell icacls "C:\Path\To\NSSM\Directory" Use code with caution.
The service runs as (by default for manually installed services), executing malware.exe with the highest privileges. nssm-2.24 privilege escalation
NSSM (Non-Sucking Service Manager) version 2.24 is a widely used tool for managing Windows services, but it presents specific security risks, primarily revolving around . While NSSM itself is not inherently "malicious," its misconfiguration or presence in a compromised environment can be leveraged by attackers to gain NT AUTHORITY\SYSTEM privileges. Deep Review of NSSM 2.24 Vulnerabilities 1. Unquoted Service Path (Most Common) Use icacls to check if the service directory is writable
If an attacker has write access to a directory involved in the service execution chain (e.g., a directory with weak permissions where the service binary resides or a path containing spaces without quotes), they can plant a malicious executable. When the service is started or restarted, the operating system or NSSM will execute the malicious file with SYSTEM privileges. NSSM (Non-Sucking Service Manager) version 2
: A more recent vulnerability identified in products like Phoenix Contact Device and Update Management involves misconfigured permissions on nssm.exe specifically, allowing low-privileged local attackers to gain administrative access. Vulnerability Summary Table CVE-2016-8742 Detail - NVD
Look for process creation events where: