The most sophisticated variant uses NSSM to restart a service that runs under a PPL-protected account (e.g., WinDefend ). Since NSSM invokes ChangeServiceConfig via RPC, and the RPC call does not validate the caller’s medium integrity level against the target service’s SecurityDescriptor in the same way as a local API call, an attacker with SeImpersonatePrivilege (e.g., from a LOCAL SERVICE breach) can pivot.
If successful, the attacker’s reverse_shell.exe runs as . nssm224 privilege escalation updated
Although NSSM 2.24 was released years ago, security researchers continue to find it bundled in modern software (like Phoenix Contact in 2025) with original, insecure installation scripts. Binary Hijacking: The most sophisticated variant uses NSSM to restart
View registry parameters: