Skip to content

T1562.009 Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.12

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.3

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.2456

Item Value
ID T1562.009
Sub-techniques T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011
Tactics TA0005
Platforms Windows
Permissions required Administrator
Version 1.0
Created 23 June 2021
Last Modified 31 August 2021

Procedure Examples

ID Name Description
S1053 AvosLocker AvosLocker can restart a compromised machine in safe mode.98
S1070 Black Basta Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network.1411131012
S0496 REvil REvil can force a reboot in safe mode with networking.6

Mitigations

ID Mitigation Description
M1026 Privileged Account Management Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.4
M1054 Software Configuration Ensure that endpoint defenses run in safe mode.4

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation

References