MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
Safe Mode Boot is a defense evasion technique that adversaries use to reboot a system into Safe Mode to disable security controls and execute malicious actions without interference. Safe Mode is a diagnostic startup mode in Windows that loads only essential system services and drivers, often disabling third-party security software such as antivirus, endpoint detection and response (EDR), and monitoring tools. By leveraging Safe Mode, attackers can bypass security protections that would normally detect and prevent their activities in a fully operational environment.
In this blog post, we explain the T1562.009 Safe Mode Boot technique of the MITRE ATT&CK® framework and explore how adversaries employ Safe Mode Boot with real-world attack examples in detail.
|
|
What is Safe Mode Boot?
Safe Mode Boot is a diagnostic startup mode in operating systems, including Windows, macOS, and some Linux distributions. When a computer is booted in Safe Mode, it only loads essential system files and drivers necessary for basic functionality. It is designed to troubleshoot and resolve issues with the operating system by loading a minimal set of drivers and services, thereby isolating the system from potential problematic elements.
Safe Mode is particularly useful when a system experiences problems such as frequent crashes, freezes, or startup failures. It allows users to access the operating system in a simplified state, making it easier to pinpoint the source of the problem. Once in Safe Mode, users can uninstall recently added software, update or roll back drivers, and perform other troubleshooting steps to resolve issues.
Adversary Use of Safe Mode Boot
While Safe Mode Boot is designed as a diagnostic tool for troubleshooting and resolving issues within an operating system, adversaries have ingeniously repurposed this feature to evade detection, manipulate system configurations, and facilitate their malicious activities. Adversaries often exploit Safe Mode Boot to navigate around security measures implemented by the operating system. By booting the system in Safe Mode, they ensure that only a minimal set of drivers and essential services are loaded, creating an environment where many security controls are not started. This method is particularly advantageous for adversaries seeking to infiltrate a system without triggering alarms or encountering active defenses.
Adversaries leverage the Safe Mode Boot technique to subvert security software and evade detection by antivirus programs. In Safe Mode, many security applications and services, which are crucial for real-time threat detection, may remain inactive. This creates a window of opportunity for adversaries to execute malicious code or deploy malware without immediate interference from security solutions. By exploiting this reduced security posture, adversaries increase their chances of remaining undetected during the initial stages of their attack.
The Safe Mode Boot technique also serves as an effective means for adversaries to manipulate system configurations and disable security features. In Safe Mode, certain startup items and third-party drivers are deliberately excluded, offering adversaries a controlled environment for altering system settings. This manipulation may involve disabling firewalls, antivirus programs, or other security measures that could impede their progress, allowing adversaries to establish a foothold within the compromised system and lay the groundwork for subsequent malicious activities.
In March 2024, RA World ransomware was reported to enable Safe Mode with Networking by creating a service that adds registry keys for Safe Mode [1].
sc create <service_name> binpath= <path_to_executable> start= auto displayname= <service_display_name> reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\<service_name>" /t REG_SZ /d Service /f |
Additionally, adversaries configure Boot Configuration Data (BCD) to enable Safe Mode with Networking and restart the compromised system.
bcdedit /set {default} safeboot Network shutdown -r -f -t 00 |
Ready to Simulate Real-World Threats from Red Report 2025?
References
[1] "Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO," Trend Micro. https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html