© 2025 Turnitin, LLC. All rights reserved.
(active in early 2025) has been observed deploying NSSM to configure malicious services after gaining an initial foothold through other means. National Institute of Standards and Technology (.gov) Summary Table: Key Vulnerability Data CVE-2024-51448 Detail - NVD 18 Jan 2025 —
: NSSM stores its configuration parameters under HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters . If low-privilege users have write permissions to this registry key, they can modify the Application , AppDirectory , or AppParameters values to point to a malicious executable.
Ensure that the directory containing the service binary ( nssm.exe ) and the target application is not writable by the Users group. Only Administrators or SYSTEM should have write access. nssm224 privilege escalation updated
To check for weak service permissions manually via PowerShell: powershell
Another classic attack vector involves how NSSM is registered in the Windows registry. (active in early 2025) has been observed deploying
move "C:\Path\To\Service\Binary.exe" "C:\Path\To\Service\Binary.exe.bak" copy "C:\Temp\service.exe" "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard
Whenever feasible, steer away from assigning NT AUTHORITY\SYSTEM to custom wrapped applications. Instead: Ensure that the directory containing the service binary
file in their management services allow low-privileged attackers to escalate rights. Abuse by Ransomware
(active in early 2025) has been observed deploying NSSM to configure malicious services after gaining an initial foothold through other means. National Institute of Standards and Technology (.gov) Summary Table: Key Vulnerability Data CVE-2024-51448 Detail - NVD 18 Jan 2025 —
: NSSM stores its configuration parameters under HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters . If low-privilege users have write permissions to this registry key, they can modify the Application , AppDirectory , or AppParameters values to point to a malicious executable.
Ensure that the directory containing the service binary ( nssm.exe ) and the target application is not writable by the Users group. Only Administrators or SYSTEM should have write access.
To check for weak service permissions manually via PowerShell: powershell
Another classic attack vector involves how NSSM is registered in the Windows registry.
move "C:\Path\To\Service\Binary.exe" "C:\Path\To\Service\Binary.exe.bak" copy "C:\Temp\service.exe" "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard
Whenever feasible, steer away from assigning NT AUTHORITY\SYSTEM to custom wrapped applications. Instead:
file in their management services allow low-privileged attackers to escalate rights. Abuse by Ransomware