Nssm224 Privilege Escalation Updated -

Here’s a concise technical overview regarding NSSM (Non-Sucking Service Manager) version 2.24 and its potential use in privilege escalation scenarios (updated perspective):

4. Enable Attack Surface Reduction (ASR) Rules

Set-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-41E9-8E09-387D72F48587 -AttackSurfaceReductionRules_Actions Enabled

This rule blocks “Process creations from PSExec and WMI commands” – also catches NSSM-based service tampering in some builds.

5. Use Service SIDs (Windows 10/Server 2016+)

Set ServiceSidType = Unrestricted in the service registry to limit token privileges. nssm224 privilege escalation updated

3. Restrict Service ACLs

sc sdset MyService D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)

This grants full control only to SYSTEM and Administrators.

Step 1: Identify NSSM Services

Get-WmiObject win32_service | Where-Object $_.PathName -like "*nssm*" | Select Name, PathName, StartName

Step 4: Restart the Service

net stop nssm_managed_service && net start nssm_managed_service

If successful, the attacker’s reverse_shell.exe runs as SYSTEM. This rule blocks “Process creations from PSExec and

NSSM 2.24 – Privilege Escalation Vector

NSSM allows a user to install and manage Windows services. When a low-privilege user has write access to an NSSM-controlled service configuration or its binary path, privilege escalation becomes possible.

NSSM 2.24 Revisited: From Service Wrapper to Privilege Escalation Vector

Date: April 12, 2026 Category: Cybersecurity / Windows Privilege Escalation Tool: NSSM (Non-Sucking Service Manager) v2.24 NSSM handles service failure recovery

What Is NSSM? A Quick Refresher

The Non-Sucking Service Manager (nssm.exe) is a legitimate, open-source utility designed to run any executable as a Windows service. Unlike sc.exe or PowerShell’s New-Service, NSSM handles service failure recovery, environment variables, and graceful shutdowns. It is widely deployed by system administrators to convert batch scripts, Node.js apps, or Python daemons into persistent services.

However, its convenience creates a powerful attack primitive: if an attacker can write nssm.exe to disk (or use an existing installation) and has the ability to modify service configurations, they can escalate privileges.