Nssm224 Privilege Escalation Updated [exclusive] May 2026

Here’s a concise technical overview regarding NSSM (Non-Sucking Service Manager) version 2.24 and its potential use in privilege escalation scenarios (updated perspective):

Obtain Shell: Catch the reverse shell as NT AUTHORITY\SYSTEM. 4. Prevention and Mitigation nssm224 privilege escalation updated

5. Use Service SIDs (Windows 10/Server 2016+)

Set ServiceSidType = Unrestricted in the service registry to limit token privileges. Replace the service binary: If the service's ImagePath

• Replace the service binary: If the service's ImagePath points to a file in a directory writable by an unprivileged user, replacing it with a malicious executable yields SYSTEM on service start.
• Abuse writable nssm-managed config (registry) values: nssm stores some service parameters in the registry; a writable key can let an attacker modify ImagePath or AppDirectory to a malicious location.
• Hijack files used by the service: modify DLLs, configuration files, or helper executables loaded by the service.
• Abuse service permissions: If service security descriptor grants non-admin users rights to change service configuration, use sc.exe or native API to alter ImagePath or service start type.
• Log/file redirection abuse: nssm can redirect stdout/stderr to files; if those files or parent directories are writable and used in a way that causes code execution, they can be abused.
• PATH/working-directory hijack: If the service launches a helper using only a filename, and the working directory or PATH includes writable locations, attacker-controlled executables can be loaded.

Look for (A;;RPWP;;;WD) or (A;;RPWPDT;;;AU) – these allow authenticated users to modify service configuration. Look for (A;;RPWP;;;WD) or (A;;RPWPDT;;;AU) – these allow

Monitor Service Restarts: Use EDR tools to monitor for unusual service restarts or changes to service parameters, which are often precursors to an exploit.

An attacker could exploit this vulnerability by creating a specially crafted configuration file and placing it in a directory that NSSM reads from. When NSSM reads the configuration file, it could execute the attacker's malicious code with elevated privileges.

3. Restrict Service ACLs

sc sdset MyService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)