Safe Mode is a great feature for Windows computers in that it allows a user to resolve issues they might not ordinarily be able to address in Normal Mode. That’s because Safe Mode runs only software that is critical to the proper functioning of the Windows operating system.
But safety isn’t equivalent to security.
Windows Safe Mode prevents a lot of third-party software that isn’t necessary to boot up the PC from running, including anti-virus solutions. Attackers can therefore abuse Safe Mode to launch their exploits, whereas they might be prevented from doing so in Normal Mode.
The attack begins with an malicious hacker gaining local admin privileges on at least one machine on the corporate network. It doesn’t matter how they do it, but if they had to choose, they might choose to target a particular individual in an organisation with a malicious email.
From there, hackers would need to look for vulnerable endpoints where they could reuse stolen login credentials to move laterally throughout the network.
That’s where Safe Mode comes in. As explained by Doron Naim, a senior security researcher at CyberArk:
“Safe Mode, by design, does not boot any software or drivers that are not critical to the operation of Windows. As a result, by remotely forcing a reboot in Safe Mode, attackers inside a compromised system are able to operate freely, as most endpoint defenses are not enabled. And because [Virtual Secure Module] VSM is only enabled in Normal Mode, attackers can also capture credential hashes needed to laterally move through the environment – despite Microsoft’s claims that pass-the-hash risks have been mitigated…”
A hacker must do three things to pull off this attack:
- Remotely configure an infected machine to reboot into Safe Mode. This can be done using BCDEdit.
- Configure attack tools to run in Safe Mode. A hacker can include a malicious service that runs only in Safe Mode in their initial payload. Alternatively, they can register a malicious COM object to run every time explorer.exe executes.
- Reboot the machine in Safe Mode. The actor can just wait for the next restart or create a fake “update” window that asks the victim to restart their computer.
From there, the attacker can achieve any number of outcomes, including lateral movement or even credential theft. As Naim observes:
“If the attacker’s goal is to steal credentials for future use, then the attacker actually wants the user to log on to the system. As the user logs in, the attacker can capture the credentials. In this case, the attacker will likely use the COM object technique to execute code that will change the background, look and feel of Safe Mode – making it appear that the user is still in Normal Mode. As soon as the user enters his or her credentials, a second “update” window can prompt the user to reboot yet again to move the machine back into the actual Normal Mode. Just as mentioned above, this secondary reboot prompt can mimic a legitimate Windows prompt to prevent the user from noticing anything suspicious.”
Malware in the wild have exhibited that type of one-two update scheme to conceal their activity. That includes some variants of Cerber ransomware.
In a test, CyberArk’s researchers found that once they modified the registry keys in Minimal Safe Mode, they were able to run Mimikatz and steal credentials without a security solution removing the program from the machine.
Given the risks associated with that type of attack, Naim recommends that sysadmins restrict administrator privileges, employ security tools that work in Safe Mode, and overall monitor who’s going into Safe Mode and what they’re doing once they’re there. That’s all they can do… Microsoft has refused to fix the issue as they say someone must already compromise a machine to initiate this sequence.
Interesting. In my opinion, a security hole is a security hole, including if it serves as a secondary attack vector.