Home/ATT&CK Technique/Safe Mode Boot
ATT&CK Technique

Safe Mode Boot

T1688 · defense-impairment

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode.

There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot.

Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry).

Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.

Windows

Atomic Tests

1
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsSafe Mode Boot
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot
bcdedit /set safeboot network

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1054Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data.

Conduct a Security Review of Application Settings
  • Review the software documentation to identify recommended security configurations.
  • Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions
  • Restrict access to sensitive features or data within the software.
  • Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring
  • Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
  • Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly
  • Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
  • Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services
  • Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes
  • Perform configuration changes in a staging environment before applying them in production.
  • Conduct regular audits to ensure that settings remain aligned with security policies.
Tools for Implementation Configuration Management Tools
  • Ansible: Automates configuration changes across multiple applications and environments.
  • Chef: Ensures consistent application settings through code-based configuration management.
  • Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools
  • CIS-CAT: Provides benchmarks and audits for secure software configurations.
  • Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions
  • Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools
  • Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin