The key takeaway: . Run accesschk.exe -c * | findstr "NSSM" across your Windows fleet. If you find NSSM 2.24, assume it is a potential backdoor. Harden it, replace it, or risk becoming the next case study in a privilege escalation report. Appendix: Quick Fix Commands # Find NSSM services Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Format-Table Name, StartName, PathName Restrict service modification to Administrators sc sdset MyNSSMService "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)" Change binary path to secure location sc config MyNSSMService binPath= "C:\Program Files\SecureApp\app.exe" obj="NT AUTHORITY\LocalService"
If you must use NSSM, migrate to version 2.24 . Better yet, use a maintained alternative like WinSW with XML configuration files that support integrity checks. Conclusion NSSM 2.24 privilege escalation is not a classic buffer overflow or race condition—it is a design weakness amplified by common misconfigurations. Attackers love it because it turns a low-privilege foothold into full SYSTEM access with minimal noise. nssm-2.24 privilege escalation
sc qc <service_name> If the BINARY_PATH_NAME points to an NSSM executable (e.g., C:\nssm-2.24\win32\nssm.exe ), the service is a candidate. Using accesschk.exe from Sysinternals or PowerShell, the attacker checks if they have SERVICE_CHANGE_CONFIG or WRITE_DAC rights: The key takeaway:
But the real prize is . On many systems, authenticated users can enumerate and modify NSSM-managed services due to overly permissive service security descriptors. Technical Deep Dive: How the Escalation Works Step 1 – Enumeration An attacker with low-privileged access (e.g., a standard user on a compromised workstation or via a reverse shell) first enumerates all services: Harden it, replace it, or risk becoming the
accesschk.exe -uwcqv "Authenticated Users" <service_name> accesschk.exe -uwcqv "BUILTIN\Users" <service_name> If the attacker has write access to the service configuration (often misconfigured in legacy systems), they can proceed. The attacker changes the binPath to point to a malicious executable they control:
