If the output reveals BUILTIN\Users:(I)(F) or NT AUTHORITY\Authenticated Users:(M) , the directory is vulnerable because standard users can Modify (M) or have Full Control (F) over the files. Step 3: Crafting and Swapping the Payload
Non-Sucking Service Manager (NSSM) version 2.24 does not have a unique, built-in "exploit" or CVE inherent to its code. Instead, privilege escalation involving NSSM almost always stems from insecure deployment configurations
NSSM automatically detects administrative requirements and elevates privileges through the elevate() function, which leverages ShellExecuteEx() with the "runas" verb to launch a new elevated process while preserving all original command-line arguments. This built-in elevation mechanism, while convenient, has historically created attack vectors when combined with improper file permission settings.
The next step is checking the permissions of the directory where the service executable is stored. If the "Authenticated Users" or "Users" group has write access, the system is vulnerable. Tool: icacls "C:\Path\To\Service" 3. The Swap nssm-2.24 privilege escalation
NSSM operates by acting as a wrapper. When you register a service using NSSM, Windows actually starts nssm.exe . In turn, NSSM reads configuration parameters from the Windows Registry to determine which actual executable, arguments, and I/O redirection to spin up.
The root cause was that all files in the CouchDB installation inherited file permissions from the parent directory, where the installer had granted the to the "Authenticated Users" group . Consequently, a standard non-administrator user could replace the nssm.exe binary with any executable of their choice. Upon service restart or system reboot, that executable would run with LocalSystem privileges , enabling the attacker to create a backdoor administrator account and achieve complete system compromise.
When NSSM 2.24 is present, it is usually targeted via three common Windows service misconfigurations: Head Mare and Twelve: Joint attacks on Russian entities Tool: icacls "C:\Path\To\Service" 3
A tester first identifies services running with NSSM. This is often done by checking the service list or searching for the nssm.exe binary. Command: tasklist /svc or Get-Service 2. Checking Permissions
.\nssm.exe install ElevationTest cmd.exe
NSSM (Non-Sucking Service Manager) version 2.24 (and possibly prior versions) Upon service restart or system reboot
An attacker gains initial access to a Windows machine as a low-privileged user. They enumerate running services to find those managed by NSSM.
: Move to NSSM 2.25 pre-release or a newer version to fix known handle leaks and Windows 10 bugs.