Privilege Escalation [top]: Nssm-2.24

shell.exe runs as SYSTEM .

: Many applications (e.g., Wowza Streaming Engine, Apache CouchDB, Phoenix Contact) have been found to install NSSM with "Full Control" for the "Everyone" or "Users" group. Attackers can swap the binary with a malicious executable, which then runs with SYSTEM privileges upon the next service restart. nssm-2.24 privilege escalation

This article dissects the mechanics of the NSSM 2.24 privilege escalation attack, why it works, and what happens when an attacker gains a foothold on a machine with this version installed. This article dissects the mechanics of the NSSM 2

Never store service executables in folders where standard users have write access. why it works

reg add "HKLM\SYSTEM\CurrentControlSet\Services\MyNSSMService\Parameters" /v Application /t REG_SZ /d "C:\temp\evil.exe" /f

The root cause was that all files in the CouchDB installation inherited file permissions from the parent directory, where the installer had granted the to the "Authenticated Users" group . Consequently, a standard non-administrator user could replace the nssm.exe binary with any executable of their choice. Upon service restart or system reboot, that executable would run with LocalSystem privileges , enabling the attacker to create a backdoor administrator account and achieve complete system compromise.

.\nssm.exe set ElevationTest Application "cmd.exe /c echo SYSTEM LEVEL > C:\ProgramData\poc.txt"