msfvenom -p windows/x64/exec CMD="net localgroup administrators attacker /add" -f exe -o nssm.exe Use code with caution.
), Windows may attempt to execute files at each space-separated segment. An attacker with write access to the root or parent directory can place a malicious executable (like C:\Program.exe SYSTEM privileges when the service restarts. Insecure File Permissions nssm-2.24 privilege escalation
The service path is discovered to be C:\Program Files\Application Path\nssm.exe without quotes. Insecure File Permissions The service path is discovered
$ cd C:\ProgramData\SomeApp\bin
This attack requires no user interaction, only low-level local access. It transforms a standard user account into a de-facto administrator, enabling lateral movement, ransomware deployment, or the extraction of sensitive data. The vulnerability is classified under CWE-306: Missing Authentication for Critical Function , as the process does not verify the identity or permissions of the process replacing the critical binary. In Phoenix Contact’s DaUM (Device and Update Management) implementation, for instance, low-privileged users could replace the executable to gain full administrative control over the industrial management tool. enabling lateral movement
: Low (Standard automated techniques apply).