Privilege Escalation Updated | Nssm224

The most sophisticated updated variant uses NSSM to restart a service that runs under a PPL-protected account (e.g., WinDefend). Since NSSM invokes ChangeServiceConfig via RPC, and the RPC call does not validate the caller’s medium integrity level against the target service’s SecurityDescriptor in the same way as a local API call, an attacker with SeImpersonatePrivilege (e.g., from a LOCAL SERVICE breach) can pivot.

This technique was partially patched in Windows 11 23H2, but many enterprise LTSB/LTSC builds remain vulnerable. nssm224 privilege escalation updated

If an attacker can modify the ImagePath or Application parameter of an existing NSSM-managed service (or create a new one), they can execute arbitrary commands as SYSTEM or LOCAL SERVICE (depending on the service’s configured account). The most sophisticated updated variant uses NSSM to

Defenders can detect this using:

While NSSM itself is not inherently vulnerable, the NSSM-224 moniker refers to a specific abuse technique discovered around 2018-2019. The number "224" correlates to NSSM version 2.24, which was widely adopted before later updates introduced warning dialogs for certain privileged operations. If an attacker can modify the ImagePath or