Nssm224 Privilege Escalation Updated Now
Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Select Name, PathName, StartName
Even with quoted paths, NSSM 2.18 through 2.24 sometimes inherit weak ACLs (Access Control Lists) on the registry key:
HKLM\SYSTEM\CurrentControlSet\Services\MyService
If a standard user can modify the ImagePath value, they can point the service to their own executable.
The second updated finding involves NSSM’s Startup directory setting. By default, NSSM launches the service within the directory of the target executable. If the attacker can write to a parent directory, they can perform a DLL planting attack:
This is updated because newer Windows defenses like Safe DLL Search Mode do not block this if the working directory is first in the search order.
⚠️ NSSM is not inherently vulnerable; the risk lies in improperly secured services installed by NSSM. Always review service permission assignments.
While "NSSM224" is not an official CVE identifier, it likely refers to updated exploit techniques for the Non-Sucking Service Manager (NSSM), a popular tool for running applications as Windows services. NSSM is often targeted for Local Privilege Escalation (LPE) due to its ability to run binaries with SYSTEM privileges, especially if the service configuration or the binaries it points to have insecure permissions. Overview of NSSM Privilege Escalation
Privilege escalation via NSSM typically occurs when an attacker gains low-privilege access to a machine and identifies a service managed by NSSM that is misconfigured. nssm224 privilege escalation updated
Insecure File Permissions: If the binary file executed by NSSM is located in a directory where a low-privileged user has "Write" or "Modify" permissions, the attacker can replace the legitimate binary with a malicious one (e.g., a reverse shell). When the service restarts, it executes the malicious binary with SYSTEM privileges.
Unquoted Service Paths: If the path to the NSSM executable contains spaces and is not enclosed in quotes, Windows may attempt to execute files at intercept points (e.g., C:\Program.exe instead of C:\Program Files\nssm.exe).
Registry Weakness: NSSM stores service parameters in the Windows Registry. If a user has "Full Control" or "Set Value" permissions over the registry keys under HKLM\SYSTEM\CurrentControlSet\Services\[ServiceName]\Parameters, they can change the AppDirectory or Application values to point to a malicious script. Updated Exploit Techniques (2024–2026)
Recent write-ups and tools like WinPEAS have updated their checks to specifically flag NSSM-managed services for the following:
Service Binary Replacement: Attackers check the Application registry value to find the exact binary NSSM is calling. Security researchers from MDSec have documented similar "junction" and "symbolic link" attacks in Windows services to redirect file operations, which can be applied to NSSM's file logging features.
Log File Redirection: NSSM allows redirecting stdout and stderr to a file. If an attacker can manipulate these file paths to point to sensitive system files (like win.ini or system binaries), they may be able to corrupt or overwrite them to gain control. Mitigation and Prevention Get-WmiObject win32_service | Where-Object $_
To secure NSSM against updated privilege escalation methods:
Restrict Registry Access: Ensure that only SYSTEM and Administrators have write access to HKLM\SYSTEM\CurrentControlSet\Services.
Secure Installation Directories: Always install NSSM and the applications it manages in C:\Program Files\ or other directories with strict Access Control Lists (ACLs).
Use Quoted Paths: Always ensure the "Path to executable" is properly quoted in the service configuration.
Monitor Service Restarts: Use EDR tools to monitor for unusual service restarts or changes to service parameters, which are often precursors to an exploit.
CVE-2024-20656 - Local Privilege Escalation in the ... - MDSec Even with quoted paths, NSSM 2
The most sophisticated updated variant uses NSSM to restart a service that runs under a PPL-protected account (e.g., WinDefend). Since NSSM invokes ChangeServiceConfig via RPC, and the RPC call does not validate the caller’s medium integrity level against the target service’s SecurityDescriptor in the same way as a local API call, an attacker with SeImpersonatePrivilege (e.g., from a LOCAL SERVICE breach) can pivot.
This technique was partially patched in Windows 11 23H2, but many enterprise LTSB/LTSC builds remain vulnerable.
In the ever-evolving landscape of Windows privilege escalation techniques, few identifiers have maintained the staying power of NSSM-224. Originally documented as a proof-of-concept for abusing the Non-Sucking Service Manager (NSSM) utility, this attack vector has recently resurfaced in penetration testing reports and red team operations. Security researchers have released updated findings on how attackers leverage NSSM version 2.24 (and adjacent builds) to bypass standard security boundaries.
This article provides a deep dive into the updated mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security.
When NSSM 2.24 installs a service pointing to a path containing spaces (e.g., C:\Program Files\MyApp\run.bat) without quotes, Windows parses the path ambiguously.
Example of vulnerable installation:
nssm install MyService C:\Program Files\MyApp\run.bat
If the service runs as SYSTEM, an attacker with write access to C:\ or C:\Program Files\ can place a malicious Program.exe or Files.exe. When the service starts, the attacker’s binary executes with SYSTEM rights.
NSSM 224 is not inherently vulnerable, but common deployment patterns create local privilege escalation paths. Sysadmins must check service and registry permissions when using any service wrapper.