Nssm224 Privilege Escalation Updated -

The "NSSM224 privilege escalation" topic refers to security vulnerabilities in the Non-Sucking Service Manager (NSSM)

Kernel Exploitation

: Exploiting flaws in the operating system's kernel, such as the Linux netfilter vulnerability ( CVE-2024-1086 ), allows local attackers to escalate to root by leveraging use-after-free bugs. nssm224 privilege escalation updated

Service Binary Replacement

: Attackers check the Application registry value to find the exact binary NSSM is calling. Security researchers from MDSec have documented similar "junction" and "symbolic link" attacks in Windows services to redirect file operations, which can be applied to NSSM's file logging features. The "NSSM224 privilege escalation" topic refers to security

  1. Creates a malicious nssm configuration file.
  2. Sends a specially crafted command to the nssm service.
  3. Executes arbitrary code with elevated privileges.

race condition attacks

Legacy versions of NSSM (pre-2.24) had issues with predictable temporary files. While patched in later 2.24 sub-releases, some enterprise environments still run outdated builds that allow . Creates a malicious nssm configuration file

  • Post-migration audits: Companies moving from on-prem AD to Azure AD hybrid setups often forget to audit old NSSM services.
  • Ransomware gangs: Groups like Medusa and Black Basta have incorporated NSSM-224 into their privilege escalation playbooks after successful campaigns against MSPs.
  • Cobalt Strike modules: A 2025 update to the elevate command added an nssm_system module, officially resurrecting the technique.
  • Defender gaps: Microsoft Defender for Endpoint’s default ASR rules do not block nssm.exe unless it is explicitly added to DisallowedProcesses.

Detection: How to Find nssm224 Privilege Escalation Attempts

  1. Enumerate writable service binaries – Find a service where the binPath points to a user-writable location.
  2. Use NSSM to edit the service – Run nssm edit <servicename> and point Application to cmd.exe or a reverse shell.
  3. Restart the service – The new binary executes with the service’s existing privileges (often SYSTEM or LOCAL SERVICE).

CVE-2024-20656 - Local Privilege Escalation in the ... - MDSec

Shopping Cart
Scroll to Top