An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:
If permissions are weak, the attacker renames the original nssm.exe and uploads a malicious executable with the same name. nssm-2.24 privilege escalation
The contractor replaces monitor.exe with a reverse shell payload compiled as a Windows service executable. Upon the next scheduled restart (or triggered manually), the shell pops back as NT AUTHORITY\SYSTEM , giving the attacker full control over the domain controller if the service runs there. An attacker with low-privileged access (e