Skip to content

T1562.009 Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.57

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.4

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.7621

Item Value
ID T1562.009
Sub-techniques T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011, T1562.012, T1562.013
Tactics TA0005
Platforms Windows
Version 1.1
Created 23 June 2021
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S1053 AvosLocker AvosLocker can restart a compromised machine in safe mode.1918
S1070 Black Basta Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.131012911
S1247 Embargo Embargo has used a DLL variant of MDeployer to disable security solutions through Safe Mode.15
S1202 LockBit 3.0 LockBit 3.0 can reboot the infected host into Safe Mode.14
S1242 Qilin Qilin can reboot targeted systems in safe mode to help avoid detection.1617
S1212 RansomHub RansomHub can reboot targeted systems into Safe Mode prior to encryption.8
S0496 REvil REvil can force a reboot in safe mode with networking.1

Mitigations

ID Mitigation Description
M1026 Privileged Account Management Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.6
M1054 Software Configuration Ensure that endpoint defenses run in safe mode.6

References

  1. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. 

  2. Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021. 

  3. Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021. 

  4. Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021. 

  5. Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021. 

  6. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021. 

  7. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. 

  8. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025. 

  9. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. 

  10. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. 

  11. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. 

  12. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. 

  13. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. 

  14. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. 

  15. Jan Holman, Tomas Zvara. (2024, October 23). Embargo ransomware: Rock’n’Rust. Retrieved October 19, 2025. 

  16. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025. 

  17. Thomas, W. (2024, June 12). Tracking Adversaries: The Qilin RaaS. Retrieved September 26, 2025. 

  18. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  19. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.