NSSM allows a user to install and manage Windows services. When a low-privilege user has write access to an NSSM-controlled service configuration or its binary path, privilege escalation becomes possible.
Windows 11 and Server 2022 introduced stricter service control manager (SCM) behavior. However, misconfigured third-party software still grants SERVICE_CHANGE_CONFIG to Authenticated Users. The updated method uses:
# Check for vulnerable service
sc.exe sdshow VulnService
# Look for (A;;CCLCSWLOCRRC;;;AU) - Authenticated Users can change config
If found, the attacker runs:
nssm.exe set VulnService AppParameters "cmd.exe /c net localgroup administrators domainuser /add"
nssm.exe restart VulnService
# Restrict change config to administrators only
sc sdset VulnService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)"
Despite being over a decade old, nssm224 remains viable because:
Real-world breach reports (e.g., from Red Canary & Mandiant 2024) show that attackers still use NSSM-based persistence to elevate from IIS APPPOOL or LOCAL SERVICE to SYSTEM. nssm224 privilege escalation updated
The classic attack vector for NSSM is a combination of two weaknesses:
If a standard user can write to C:\nssm-2.24\ (or C:\Program Files\NSSM\ if the installer was run with lax permissions), they can replace nssm.exe with a malicious binary. NSSM allows a user to install and manage Windows services
Researchers discovered that in NSSM 2.24, the Parameters subkey (which holds Application, AppDirectory, AppParameters) is not always protected. If the installer used the default NSSM service creation without adjusting registry permissions:
Mitigation (for admins): Manually restrict ACLs on the service Parameters registry key. NSSM 2.24 does not do this automatically. If found, the attacker runs: nssm