1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Safe Mode Boot

Impair Defenses: Safe Mode Boot

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System
T1562.013 Disable or Modify Network Device Firewall

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.[1][2]

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.[3]

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.[2][4][5][6]

ID: T1562.009
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Windows
Contributors: Jorell Magtibay, National Australia Bank Limited; Kiyohito Yamamoto, RedLark, NTT Communications; Yusuke Kubo, RedLark, NTT Communications
Version: 1.1
Created: 23 June 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1053 AvosLocker

AvosLocker can restart a compromised machine in safe mode.[7][8]

S1070 Black Basta

Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.[9][10][11][12][13]
S1247 Embargo

Embargo has used a DLL variant of MDeployer to disable security solutions through Safe Mode.[14]
S1202 LockBit 3.0

LockBit 3.0 can reboot the infected host into Safe Mode.[15]
S1242 Qilin

Qilin can reboot targeted systems in safe mode to help avoid detection.[16][17]
S1212 RansomHub

RansomHub can reboot targeted systems into Safe Mode prior to encryption.[18]
S0496 REvil

REvil can force a reboot in safe mode with networking.[6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.[4]
M1054 Software Configuration

Ensure that endpoint defenses run in safe mode.[4]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0116 Detection Strategy for Safe Mode Boot Abuse AN0323

Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.

References

  1. Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.
  2. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.
  3. Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.
  4. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  5. Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.
  6. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
  7. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  8. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  9. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  1. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
  2. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  3. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  4. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  5. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025.
  6. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  7. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  8. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025.
  9. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.