Nssm-2.24 Privilege Escalation Fix ❲Updated❳

Title: From Service Manager to SYSTEM: Abusing NSSM 2.24 for Privilege Escalation

Date: [Insert Date] Tags: #Windows #PrivilegeEscalation #NSSM #InfoSec

5. Remediation and Mitigation

To secure systems running NSSM 2.24 against this vulnerability, administrators should implement the following measures:

Update Software: Update NSSM to the latest stable release, which includes improved path handling and validation logic.
Use Quoted Paths: When installing services, ensure the application path is always encapsulated in double quotes.
- Correct Usage: nssm install ServiceName "C:\Program Files\My Service\service.exe"
Directory Permissions: Ensure that the directories containing the service executables and the root drives (e.g., C:\, C:\Program Files) have strict ACLs. Standard users should not have "Write" or "Modify" permissions in these directories.
Registry Permissions: Restrict write access to the service registry keys (HKLM\SYSTEM\CurrentControlSet\Services\ServiceName) to Administrators and SYSTEM only.
Service Permissions: Audit service permissions using tools like sc sdshow to ensure standard users do not have permission to change service configuration (SERVICE_CHANGE_CONFIG).

What Makes NSSM 2.24 Different?

Modern service managers include safeguards against arbitrary binary replacement and insecure service configuration modification. NSSM 2.24, however, was designed for convenience—not security. Its core features that enable privilege escalation include: nssm-2.24 privilege escalation

Insecure Default Permissions on Service Binaries – The service executables pointed to by NSSM often reside in user-writable locations.
Weak ACLs on Service Configuration – NSSM stores its configuration in the registry under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Parameters, but older versions fail to enforce strict permissions.
No Binary Path Validation – NSSM does not verify the integrity or ownership of the target executable when starting or restarting a service.

Step 1 – Enumeration

An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:

sc query state= all | findstr "SERVICE_NAME"

They then check for NSSM-managed services by looking for display names or descriptions containing "NSSM" or by inspecting the binary path:

sc qc <service_name>

If the BINARY_PATH_NAME points to an NSSM executable (e.g., C:\nssm-2.24\win32\nssm.exe), the service is a candidate. Title: From Service Manager to SYSTEM: Abusing NSSM 2

Detection

Look for:

Event ID 7045 (A service was installed) — but modification may not generate this.
Sysmon Event ID 13 (Registry value set) on HKLM\SYSTEM\CurrentControlSet\Services\*\Parameters\Application.
Process creation of unexpected children from services.exe (e.g., cmd.exe launching a reverse shell).

Check the output - should be SYSTEM-owned file

type C:\ProgramData\poc.txt

On a vulnerable system, this file will be created by SYSTEM. On a patched system, NSSM will reject the change due to validation errors. Update Software: Update NSSM to the latest stable

The Vulnerability (CVE? — not officially assigned)

The issue is not a memory corruption bug but a logic/permission flaw:

When NSSM creates a service, it stores the actual application path in a registry key under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName>\Parameters\Application.
Problem: By default, standard users have write access to the service’s registry key (or can modify the binary path via sc config if the service DACL is weak).
NSSM does not validate that the configured binary is trustworthy before running it as SYSTEM.

Detection & Hunting Indicators

Blue teams can detect exploitation attempts via:

What is NSSM?

NSSM is a popular open-source utility that wraps any executable (e.g., a batch script, Python app, or Node.js server) into a Windows service. It’s widely used in development environments, CI/CD runners, and even production systems.