1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Safe Mode Boot

Impair Defenses: Safe Mode Boot

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.[1][2]

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.[3]

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.[2][4][5][6]

ID: T1562.009
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator
Defense Bypassed: Anti-virus, Host Intrusion Prevention Systems
Contributors: Jorell Magtibay, National Australia Bank Limited; Kiyohito Yamamoto, RedLark, NTT Communications; Yusuke Kubo, RedLark, NTT Communications
Version: 1.0
Created: 23 June 2021
Last Modified: 31 August 2021
Version Permalink

Procedure Examples

ID Name Description
S1053 AvosLocker

AvosLocker can restart a compromised machine in safe mode.[7][8]

S1070 Black Basta

Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.[9][10][11][12][13]
S0496 REvil

REvil can force a reboot in safe mode with networking.[6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.[4]
M1054 Software Configuration

Ensure that endpoint defenses run in safe mode.[4]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.[3][14][2]
DS0009 Process Process Creation

Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.
DS0024 Windows Registry Windows Registry Key Creation

Monitor Registry creation for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.[6][2]
Windows Registry Key Modification

Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.[6][2]

References

  1. Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.
  2. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.
  3. Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.
  4. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  5. Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.
  6. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
  7. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  1. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  2. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  3. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  4. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  5. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  6. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  7. Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.