Researchers at CyberArk have published a proof-of-concept attack that leverages Windows Safe Mode to expose credentials and gain further access to a PC or Windows Servers. They first discovered this attack back in February and even reported it to the Microsoft Security Response Center who said it was not a valid vulnerability.
An attacker would have to already have local administrative access to the PC or server. According to the article:
Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures.
Safe Mode, by design, does not boot any software or drivers that are not critical to the operation of Windows. As a result, by remotely forcing a reboot in Safe Mode, attackers inside a compromised system are able to operate freely, as most endpoint defenses are not enabled.
Once the attacker gains local administrative rights to the computer, they can modify the registry to force a reboot into Safe Mode. They could then create attack tools that run in Safe Mode.
Attackers can register a malicious COM object that is loaded by explorer.exe. This enables that attacker’s code to run each time the explorer.exe needs to parse icons
By doing this, the attackers code would run automatically during a boot sequence or when the system is rebooted.
Because VSM is only enabled in Normal Mode, attackers can also capture credential hashes needed to laterally move through the environment – despite Microsoft’s claims that pass-the-hash risks have been mitigated.
Once an attacker has booted a machine into Safe Mode, they can access registry keys and alter configurations to disable or manipulate endpoint security solutions which would allow them to run their attack tools in Normal Mode without triggering any alarms for violating security rules.
According to the article, there are a few mitigation steps an administrator can take to help protect themselves: