An attacker generally follows these steps to exploit a misconfigured NSSM instance:
wmic service where "pathname like '%nssm%'" get name, pathname nssm-2.24 privilege escalation