Description
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Windows Startup Settings)(Citation: Sophos Safe Mode Boot)
Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit)
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason safe mode boot)(Citation: BleepingComputer REvil 2021)
Platforms
Mitigations (2)
Software ConfigurationM1054
Ensure that endpoint defenses run in safe mode.(Citation: CyberArk Labs Safe Mode 2016)
Privileged Account ManagementM1026
Restrict administrator accounts to as few individuals as possible, following least privilege principles, that may be abused to remotely boot a machine in safe mode.(Citation: CyberArk Labs Safe Mode 2016)
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S1247 | Embargo | Malware | [Embargo](https://attack.mitre.org/software/S1247) has used a DLL variant of MDeployer to disable security solutions through Safe Mode.(Citation: ESET... |
| S1053 | AvosLocker | Malware | [AvosLocker](https://attack.mitre.org/software/S1053) can restart a compromised machine in safe mode.(Citation: Trend Micro AvosLocker Apr 2022)(Citat... |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) can force a reboot in safe mode with networking.(Citation: BleepingComputer REvil 2021) |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) can reboot victim machines in safe mode with networking via `bcdedit /set safeboot network`.(Ci... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can reboot targeted systems in safe mode to avoid detection.(Citation: Trend Micro Agenda Ransomware ... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can reboot the infected host into Safe Mode.(Citation: Joint Cybersecurity Advisory LockBit 3.0... |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can reboot targeted systems into Safe Mode prior to encryption.(Citation: Group-IB RansomHub FEB ... |
References
- Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
- Andrew Brandt. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved April 15, 2026.
- Cybereason Nocturnus. (n.d.). Cybereason vs. MedusaLocker Ransomware. Retrieved April 15, 2026.
- Microsoft. (n.d.). Retrieved April 15, 2026.
- Microsoft. (n.d.). Retrieved April 15, 2026.
- Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
Frequently Asked Questions
What is T1688 (Safe Mode Boot)?
T1688 is a MITRE ATT&CK technique named 'Safe Mode Boot'. It belongs to the Defense Impairment tactic(s). Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as...
How can T1688 be detected?
Detection of T1688 (Safe Mode Boot) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1688?
There are 2 documented mitigations for T1688. Key mitigations include: Software Configuration, Privileged Account Management.
Which threat groups use T1688?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.