T1562.009 - Impair Defenses: Safe Boot Mode

Description from ATT&CK

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021) Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

Atomic Tests


Atomic Test #1 - Safe Mode Boot

Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot

Supported Platforms: Windows

auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

bcdedit /set safeboot network

Cleanup Commands:

bcdedit /deletevalue {current} safeboot