T1562.009 Safe Mode Boot
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.12
Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.3
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.2456
Item | Value |
---|---|
ID | T1562.009 |
Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
Tactics | TA0005 |
Platforms | Windows |
Permissions required | Administrator |
Version | 1.0 |
Created | 23 June 2021 |
Last Modified | 31 August 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1053 | AvosLocker | AvosLocker can restart a compromised machine in safe mode.98 |
S1070 | Black Basta | Black Basta can reboot victim machines in safe mode with networking via bcdedit /set safeboot network .1411131012 |
S0496 | REvil | REvil can force a reboot in safe mode with networking.6 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1026 | Privileged Account Management | Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.4 |
M1054 | Software Configuration | Ensure that endpoint defenses run in safe mode.4 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021. ↩
-
Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. ↩↩
-
Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021. ↩
-
Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021. ↩↩↩
-
Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021. ↩
-
Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021. ↩↩
-
Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021. ↩
-
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. ↩
-
Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. ↩
-
Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. ↩
-
Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. ↩
-
Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023. ↩
-
Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023. ↩
-
Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. ↩