MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1562.009: Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-2224: Safe_Mode_Boot: A user changed a system setting or registry key responsible for booting the system or starting a process, service, or driver in safe mode. This allows attackers to disable endpoint protection and avoid detection.

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor modifications to Registry data associated with enabling safe mode. For example, a service can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Monitor Registry creation for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a * in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run["*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.

IDM1054NameSoftware ConfigurationDescription

Ensure that endpoint defenses run in safe mode.