If you must use NSSM, migrate to version 2.24 . Better yet, use a maintained alternative like WinSW with XML configuration files that support integrity checks. Conclusion NSSM 2.24 privilege escalation is not a classic buffer overflow or race condition—it is a design weakness amplified by common misconfigurations. Attackers love it because it turns a low-privilege foothold into full SYSTEM access with minimal noise.
sc config <service_name> binPath= "C:\temp\malware.exe" Or, if using NSSM directly: nssm-2.24 privilege escalation
Introduction NSSM (Non-Sucking Service Manager) has long been a staple for system administrators and developers on the Windows platform. Versions like 2.24 , released in the mid-2010s, are celebrated for their ability to turn any executable into a Windows service quickly. However, beneath its utilitarian veneer lies a dangerous attack vector: privilege escalation . If you must use NSSM, migrate to version 2
The key takeaway: . Run accesschk.exe -c * | findstr "NSSM" across your Windows fleet. If you find NSSM 2.24, assume it is a potential backdoor. Harden it, replace it, or risk becoming the next case study in a privilege escalation report. Appendix: Quick Fix Commands # Find NSSM services Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName Restrict service modification to Administrators sc sdset MyNSSMService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)" Change binary path to secure location sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService" Attackers love it because it turns a low-privilege
But the real prize is . On many systems, authenticated users can enumerate and modify NSSM-managed services due to overly permissive service security descriptors. Technical Deep Dive: How the Escalation Works Step 1 – Enumeration An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services:
Stay secure. Never trust legacy wrappers with SYSTEM privileges.
accesschk.exe -uwcqv "Authenticated Users" <service_name> accesschk.exe -uwcqv "BUILTIN\Users" <service_name> If the attacker has write access to the service configuration (often misconfigured in legacy systems), they can proceed. The attacker changes the binPath to point to a malicious executable they control:
