: An attacker with write access to the root directory could place a malicious file at C:\Program.exe . When the service tries to start, Windows may execute C:\Program.exe instead of the intended file deep in the Program Files 3. Persistence via NSSM Beyond escalation, threat actors frequently use NSSM for persistence
For Jax, a low-level analyst at the Global Data Hive, it started as a routine audit. He was supposed to be checking service managers—specifically the "Non-Sucking Service Manager" (NSSM) used to keep the Hive’s background tasks running. But a new, undocumented update to the internal "NSSM224" protocol had just gone live, and it wasn't just a patch. It was a doorway. The Breach
Enable Windows Event Auditing to track changes to services and registry keys. New service was installed.
Create a or a standard Managed Service Account (MSA) .
If a standard user can modify the ImagePath value, they can point the service to their own executable. nssm224 privilege escalation updated
Legacy versions of NSSM (pre-2.24) had issues with predictable temporary files. While patched in later 2.24 sub-releases, some enterprise environments still run outdated builds that allow .
: The attacker renames or replaces the legitimate nssm.exe with a malicious payload, such as:
The Persistent Risk of NSSM: Understanding Privilege Escalation in Service Management
# Enumerating services and checking for non-standard paths or NSSM references Get-CimInstance -ClassName Win32_Service | Where-Object $_.PathName -like "*nssm*" | Select-Object Name, DisplayName, PathName, StartMode Use code with caution. : An attacker with write access to the
wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Use code with caution. Copied to clipboard
Use AccessChk (from the Sysinternals suite) to verify registry security: accesschk.exe -kv "HKLM\SYSTEM\CurrentControlSet\Services" Use code with caution.
: Use EDR tools to monitor for unusual service restarts or changes to service parameters, which are often precursors to an exploit.
This is the most common variant. NSSM relies on a configuration pointing to an application executable. The Breach Enable Windows Event Auditing to track
The theoretical risk described above is not just academic. Threat actors have already weaponized NSSM for malicious purposes in active campaigns.
A PoC exploit has been developed, which demonstrates the vulnerability. The PoC exploit:
Monitor for unusual service creation events (Event ID 7045) or changes to service configurations. Phoenix Contact to audit the permissions of all instances on your system? CVE-2016-20033 Detail - NVD
