MITRE ATT&CK Technique
Description
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021) Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-06-23T20:00:27.600Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse Windows safe mode to disable endpoint '
'defenses. Safe mode starts up the Windows operating system '
'with a limited set of drivers and services. Third-party '
'security software such as endpoint detection and response '
'(EDR) tools may not start after booting Windows in safe mode. '
'There are two versions of safe mode: Safe Mode and Safe Mode '
'with Networking. It is possible to start additional services '
'after a safe mode boot.(Citation: Microsoft Safe '
'Mode)(Citation: Sophos Snatch Ransomware 2019)\n'
'\n'
'Adversaries may abuse safe mode to disable endpoint defenses '
'that may not start with a limited boot. Hosts can be forced '
'into safe mode after the next reboot via modifications to '
'Boot Configuration Data (BCD) stores, which are files that '
'manage boot application settings.(Citation: Microsoft bcdedit '
'2021)\n'
'\n'
'Adversaries may also add their malicious applications to the '
'list of minimal services that start in safe mode by modifying '
'relevant Registry values (i.e. [Modify '
'Registry](https://attack.mitre.org/techniques/T1112)). '
'Malicious [Component Object '
'Model](https://attack.mitre.org/techniques/T1559/001) (COM) '
'objects may also be registered and loaded in safe '
'mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: '
'CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus '
'MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)',
'external_references': [{'external_id': 'T1562.009',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/009'},
{'description': 'Abrams, L. (2021, March 19). REvil '
'ransomware has a new ‘Windows Safe '
'Mode’ encryption mode. Retrieved '
'June 23, 2021.',
'source_name': 'BleepingComputer REvil 2021',
'url': 'https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/'},
{'description': 'Cybereason Nocturnus. (2020, '
'November 19). Cybereason vs. '
'MedusaLocker Ransomware. Retrieved '
'June 23, 2021.',
'source_name': 'Cybereason Nocturnus MedusaLocker '
'2020',
'url': 'https://www.cybereason.com/blog/medusalocker-ransomware'},
{'description': 'Gerend, J. et al. (2017, October '
'16). bootcfg. Retrieved August 30, '
'2021.',
'source_name': 'Microsoft Bootcfg',
'url': 'https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg'},
{'description': 'Microsoft. (2021, May 27). bcdedit. '
'Retrieved June 23, 2021.',
'source_name': 'Microsoft bcdedit 2021',
'url': 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit'},
{'description': 'Microsoft. (n.d.). Start your PC in '
'safe mode in Windows 10. Retrieved '
'June 23, 2021.',
'source_name': 'Microsoft Safe Mode',
'url': 'https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234'},
{'description': 'Naim, D.. (2016, September 15). '
'CyberArk Labs: From Safe Mode to '
'Domain Compromise. Retrieved June '
'23, 2021.',
'source_name': 'CyberArk Labs Safe Mode 2016',
'url': 'https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise'},
{'description': 'Sophos. (2019, December 9). Snatch '
'ransomware reboots PCs into Safe '
'Mode to bypass protection. Retrieved '
'June 23, 2021.',
'source_name': 'Sophos Snatch Ransomware 2019',
'url': 'https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/'}],
'id': 'attack-pattern--28170e17-8384-415c-8486-2e6b294cb803',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:33.044Z',
'name': 'Safe Mode Boot',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jorell Magtibay, National Australia Bank Limited',
'Kiyohito Yamamoto, RedLark, NTT Communications',
'Yusuke Kubo, RedLark, NTT Communications'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}