Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Safe Mode Boot
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Safe Mode Boot
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impair Defenses:  Safe Mode Boot

ID Name
.001 Disable or Modify Tools
.002 Disable Windows Event Logging
.003 Impair Command History Logging
.004 Disable or Modify System Firewall
.006 Indicator Blocking
.007 Disable or Modify Cloud Firewall
.008 Disable or Modify Cloud Logs
.009 Safe Mode Boot
.010 Downgrade Attack
.011 Spoof Security Alerting
.012 Disable or Modify Linux Audit System

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021) Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

ID: T1562.009
Sub-technique of:  T1562
Tactic(s): Defense Evasion
Platforms: Windows
Data Sources: Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Version: 1.1
Created: 23 Jun 2021
Last Modified: 25 Apr 2025

Procedure Examples
Name Description
REvil

REvil can force a reboot in safe mode with networking.(Citation: BleepingComputer REvil 2021)
RansomHub

RansomHub can reboot targeted systems into Safe Mode prior to encryption.(Citation: Group-IB RansomHub FEB 2025)
Black Basta

Black Basta can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Trend Micro Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Palo Alto Networks Black Basta August 2022)
LockBit 3.0

LockBit 3.0 can reboot the infected host into Safe Mode.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
AvosLocker

AvosLocker can restart a compromised machine in safe mode.(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Costa AvosLocker May 2022)

Mitigations
Mitigation Description
Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures: Account Permissions and Roles: - Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions. Credential Security: - Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO). Multi-Factor Authentication (MFA): - Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA. Privileged Access Management (PAM): - Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access. Auditing and Monitoring: - Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage. Just-In-Time Access: - Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions. *Tools for Implementation* Privileged Access Management (PAM): - CyberArk, BeyondTrust, Thycotic, HashiCorp Vault. Credential Management: - Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass. Multi-Factor Authentication: - Duo Security, Okta, Microsoft Azure MFA, Google Authenticator. Linux Privilege Management: - sudo configuration, SELinux, AppArmor. Just-In-Time Access: - Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures: Conduct a Security Review of Application Settings: - Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements. Implement Access Controls and Permissions: - Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software. Enable Logging and Monitoring: - Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM. Update and Patch Software Regularly: - Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process. Disable Unnecessary Features or Services: - Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs. Test Configuration Changes: - Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies. *Tools for Implementation* Configuration Management Tools: - Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance. Security Benchmarking Tools: - CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues. Vulnerability Management Solutions: - Nessus: Identifies misconfigurations and suggests corrective actions. Logging and Monitoring Tools: - Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Detection

Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \* in front of the "Startup" value name: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\["\*Startup"="{Path}"] or by adding a key to HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019) Monitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)

References

  1. Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.
  2. Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
  3. Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.
  4. Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
  5. Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.
  6. Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.
  7. Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.
  8. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  9. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  10. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  11. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  12. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
  13. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  14. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  15. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  16. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.