Nssm-2.24 Privilege Escalation -

The contractor replaces monitor.exe with a reverse shell payload compiled as a Windows service executable. Upon the next scheduled restart (or triggered manually), the shell pops back as NT AUTHORITY\SYSTEM , giving the attacker full control over the domain controller if the service runs there.

Version 2.24 has several documented stability and security-related bugs that were addressed in the 2.25 pre-release builds: nssm-2.24 privilege escalation

sc config vuln_svc binPath= "C:\evil\shell.exe" sc stop vuln_svc sc start vuln_svc The contractor replaces monitor

On a vulnerable system, this file will be created by SYSTEM . On a patched system, NSSM will reject the change due to validation errors. nssm-2.24 privilege escalation

README

Nssm-2.24 Privilege Escalation -