cbcvebase.
CVE-2016-0099
published 2016-03-09

CVE-2016-0099: The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2…

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
37.16%
98.3th percentile
The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2016-0099/cve_2016_0099.ps1
commandcmd.exe /C powershell -exec Bypass -nonI -window Hidden
commandInvoke-MS16-032
  • Detect exploitation attempts by monitoring for PowerShell processes launched with '-exec Bypass -nonI -window Hidden' flags, which is the exact command string used by the Metasploit MS16-032 module for CVE-2016-0099.
  • Monitor for the exploit PowerShell script file 'cve_2016_0099.ps1' being written to or executed from disk, as dropped by the Metasploit module.
  • Alert on calls to NtImpersonateThread combined with CreateProcessWithLogonW using LOGON_NETCREDENTIALS_ONLY (0x00000002) and CREATE_SUSPENDED (0x00000004) flags — this is the core exploit primitive for CVE-2016-0099.
  • Monitor for DuplicateHandle calls targeting handle value 0x4 (the thread handle leaked from the Secondary Logon service svchost process), which is the specific handle value exploited in CVE-2016-0099 PoCs.
  • Detect exploitation in the context of Trigona ransomware attacks: look for indicators of compromise on MSSQL servers exposed to the internet with weak passwords, as attackers use CVE-2016-0099 to escalate privileges after initial access.
  • The exploit requires at least 2 CPU logical cores to succeed (race condition); alert on exploit tool output or logs referencing this check as a sign of active exploitation attempts.
  • Monitor for SetThreadToken API calls in a tight loop (token race) against a suspended process spawned by CreateProcessWithLogonW — this is the privilege escalation race condition pattern for CVE-2016-0099.
  • ·The Metasploit module sets a default WfsDelay of 30 seconds and a TIMEOUT of 60 seconds before cleaning up the dropped PowerShell payload; detection windows must account for this short-lived artifact on disk.
  • ·The exploit only works on systems with PowerShell 2.0 or later AND two or more CPU cores; scanning for vulnerable assets should filter on these criteria to reduce false positives.
  • ·The C PoC must match OS bitness (32-bit vs 64-bit) and must be compiled with 'Any CPU' support (not 32-bit preferred); mismatched builds will fail silently.
  • ·The exploit does not work from Low Integrity Level (Low IL); it requires at minimum Medium IL to succeed.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.