The "Privilege Escalation Updated" tag comes after a proof-of-concept exploit demonstrated that the flaw doesn't just crash the service—it manipulates the recovery mechanism. By injecting a malicious payload into the service’s failure command flag, an attacker with low-level access can force the application to execute arbitrary code with SYSTEM privileges.
: If the path to the executable NSSM manages contains spaces and is not enclosed in quotes (e.g., C:\Program Files\App Name\nssm.exe ), an attacker can place a malicious file (e.g., C:\Program.exe ) to be executed by the system during reboot .
To help you further, are you analyzing a ? If you can share the file permissions ( icacls output) or if the path is unquoted , I can tell you exactly which command to use.
If they lack service control permissions, they may simply wait for a system reboot or trigger an intentional crash if the service is configured to auto-restart. Upon restarting, NSSM executes exploit.exe with the privileges assigned to the service (usually SYSTEM ). Defensive Strategies and Remediation nssm224 privilege escalation updated
: Ensure all service paths are properly quoted in the Windows Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services .
If exploiting , the attacker modifies the registry path using reg.exe :
An attacker gains a foothold on a system as a low-privileged user and enumerates running services to find those managed by NSSM or located in non-standard directories. Using PowerUp.ps1 or a built-in command line: The "Privilege Escalation Updated" tag comes after a
reg add "HKLM\SYSTEM\CurrentControlSet\Services\TargetService\Parameters" /v Application /t REG_SZ /d "C:\Temp\payload.exe" /f Use code with caution.
Enable Windows Event Auditing to track changes to services and registry keys. New service was installed.
If the directory containing the target application executable managed by NSSM has weak permissions, an attacker can simply replace the legitimate binary with a malicious one (e.g., a reverse shell or a payload that creates a new administrator user). When the service restarts, NSSM executes the malicious payload with SYSTEM privileges. 2. Registry Modification (Weak Key Permissions) To help you further, are you analyzing a
NSSM stores its configuration parameters (like the Application path) in the Windows Registry under: HKLM\SYSTEM\CurrentControlSet\Services\ \Parameters
However, in the context of red teaming and penetration testing, NSSM 2.24 has become a notorious binary for unintended privilege escalation. Recently, updated research has shed light on specific configurations and default behaviors in version 2.24 that, while patched or altered in later forks, remain exploitable on legacy systems and misconfigured enterprise environments.
Paths within C:\Program Files or C:\Program Files (x86) inherit secure permissions by default, but custom application roots (e.g., C:\Apps\ ) do not. Run a hardening script to clean up ACLs: powershell
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
Securing your environment against NSSM224 requires a multi-layered approach to access management and system hardening. Enforce the Principle of Least Privilege