1. Home
  2. ATT&CK Techniques
  3. T1562.009 Safe Mode Boot

T1562.009 Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1562.009 Safe Mode Boot
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1562.009 Safe Mode Boot
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-05.02 Privileged system access Mitigates T1562.009 Safe Mode Boot
      Comments
      This diagnostic statement protects against Safe Mode Boot through the use of privileged account management and the use of multi-factor authentication.
      References
        PR.AA-05.01 Access privilege limitation Mitigates T1562.009 Safe Mode Boot
        Comments
        This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1562.009 Safe Mode Boot
          Comments
          This diagnostic statement provides protection from Impair Defenses: Safe Mode Boot through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CM-06 Configuration Settings mitigates T1562.009 Safe Mode Boot
            CM-05 Access Restrictions for Change mitigates T1562.009 Safe Mode Boot
            IA-09 Service Identification and Authentication mitigates T1562.009 Safe Mode Boot
            CM-10 Software Usage Restrictions mitigates T1562.009 Safe Mode Boot
            SC-23 Session Authenticity mitigates T1562.009 Safe Mode Boot
            SC-08 Transmission Confidentiality and Integrity mitigates T1562.009 Safe Mode Boot
            SI-07 Software, Firmware, and Information Integrity mitigates T1562.009 Safe Mode Boot
            IA-02 Identification and Authentication (Organizational Users) mitigates T1562.009 Safe Mode Boot
            CM-07 Least Functionality mitigates T1562.009 Safe Mode Boot
            AC-02 Account Management mitigates T1562.009 Safe Mode Boot
            AC-03 Access Enforcement mitigates T1562.009 Safe Mode Boot
            AC-05 Separation of Duties mitigates T1562.009 Safe Mode Boot
            AC-06 Least Privilege mitigates T1562.009 Safe Mode Boot

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            alerts_for_windows_machines Alerts for Windows Machines technique_scores T1562.009 Safe Mode Boot
            Comments
            This control may detect executed commands indicative of changes to boot settings such as bcdedit.exe and bootcfg.exe
            References
            1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
            2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines