Researchers warn the Windows diagnostic feature Safe Mode can be used as a remote attack vector by hackers who already have access to a compromised PC or server. The method of attack is unusual, researchers said, and places attention on the diagnostic tool used to fix PC problems and remove security threats.
Researchers at CyberArk Labs say they have created several proof-of-concept attacks using the Windows Safe Mode tool as an attack vector that could allow a hacker to harvest credentials on PCs running Windows 10 as well as Windows servers. By using Safe Mode, an attacker could easily move laterally within a network without detection, researchers say.
“Once attackers break through the perimeter and gain local administrator privileges on an infected Windows-based machine, they can remotely activate Safe Mode to bypass and manipulate endpoint security measures,” wrote CyberArk in an upcoming blog post outlining its research.
The use of Safe Mode is ideal for attackers, said researchers, because in Safe Mode most third-party endpoint security software is disabled along with Microsoft’s Virtual Secure Module (VSM) protection.
“Safe Mode, by design, does not boot any software or drivers that are not critical to the operation of Windows. As a result, by remotely forcing a reboot in Safe Mode, attackers inside a compromised system are able to operate freely, as most endpoint defenses are not enabled,” CyberArk researchers said.
In order to perpetrate the attack, an attacker must gain admin rights so they can modify registry settings and have the ability to trigger a reboot into Safe Mode on the targeted computer. Next, an attacker creates attack tools that load in Safe Mode. One example would be the use of malicious COM objects.
“Attackers can register a malicious COM object that is loaded by explorer.exe. This enables that attacker’s code to run each time the explorer.exe needs to parse icons,” CyberArk describes.
With these tools in place, the attacker’s malicious code will automatically run during a reboot sequence or the next time the victim restarts their PC, according to CyberArk. In its proof-of-concept attack, researchers customized the Windows Safe Mode GUI via registry settings to match Windows Normal Mode – making it hard for the victim to notice they are in Safe Mode.
With this type of attack, where a hacker already has local admin rights, a logical question emerges: Why would an attacker with administrator privileges need anything more? With those privileges, an attacker can scan for and disable endpoint defenses.
Kobi Ben Naim, senior director of research at CyberArk Labs, said Safe Mode affords attackers greater privileges on a computer that can go beyond local admin rights in Windows. For example, Naim said, Microsoft’s VSM protection (disabled in Safe Mode) protects a compromised PC in Normal Mode from credential attacks such as pass-the-hash.
“Because VSM is only enabled in Normal Mode, attackers can also capture credential hashes needed to laterally move through the environment – despite Microsoft’s claims that pass-the-hash risks have been mitigated,” CyberArk said in its research notes.
Naim added that attackers utilizing Safe Mode can more easily go undetected. Once an attacker has booted a machine into Safe Mode, they can access registry keys and alter configurations to disable or manipulate endpoint security solutions, he said. Now an attacker can reboot the targeted PC back into Normal Mode and proceed with an attack without the risk of being blocked by the (now compromised) endpoint security solutions running on the system.
Additionally, using Safe Mode means an attacker can skip developing and testing code for detecting and disabling every possible endpoint defense that it might encounter on the infected machine.
Mitigation includes removing local administrator privileges from standard users and deploying endpoint security tools that function in Safe Mode, CyberArk says.