Escalation Updated: Nssm224 Privilege

NSSM 2.24 Privilege Escalation: Updated Analysis, Exploit Vectors, and Mitigation Strategies

1. Upgrade NSSM

• Use NSSM 2.24.1 or later (unofficial patches from community builds). Better yet, migrate to native Windows services or sc.exe.

Scenario 2: Weak Service Binary Permissions

Even with quoted paths, NSSM 2.18 through 2.24 sometimes inherit weak ACLs (Access Control Lists) on the registry key: HKLM\SYSTEM\CurrentControlSet\Services\MyService

If a standard user can modify the ImagePath value, they can point the service to their own executable. nssm224 privilege escalation updated

The "Updated" NSSM-224: What Has Changed?

Recent research (late 2024 through mid-2025) has identified three updated variants of the NSSM-224 technique. These are not patches to NSSM but rather new ways to abuse it in modern Windows environments. NSSM 2

How to Detect Exploitation

• Process Anomalies: Look for nssm.exe spawning cmd.exe or powershell.exe with network connections.
• Registry Auditing: Enable SACL auditing on HKLM\SYSTEM\CurrentControlSet\Services\*\Parameters\Application. Monitor changes by non-admin users.
• File Integrity: Monitor C:\nssm-2.24\ for unexpected binary replacements.