Windows Safe Mode Can Be Used to Hack a PC

  • 381
  •  
  •  
  •  
  •  
  •  
  •  
  •  
    381
    Shares

CyberArk a US cyber-security vendor published a recent research which reveals various attack scenarios which leverage Windows Safe Mode and carry out some malicious attacks undetected, extract PC credentials from the nearby workstations, or even disable security software.

The attack described was not a security vulnerability, but it is an exploitation case which can be done after a malicious actor has managed to compromise a PC and gain administrator privileges.

This hypothetical scenario is more than achievable because Windows computers get compromised with all sorts of malware on a daily basis, and various exploits are freely available to escalate privileges to admin level.

The reason the attack works is because Windows allows applications to prompt the user to restart the PC, and secretly force the restart in Safe Mode.

Safe Mode is important to an attacker because it prevents all third-party software from starting, including antivirus systems.

When the computer reboots in Safe Mode, an attacker could alter registry keys for applications such as antivirus and anti-malware toolkits, which are hands off in Normal Mode and would trigger a security alert.

An attacker with a foothold on an infected system could leverage this technique to disable antivirus software for good and make sure his presence remains undetected until he finishes whatever malicious tasks he wants to carry out.

Of course, the attack still relies on tricking users to allow the computer to reboot, and not being alarmed that they ended up in Safe Mode.

Executing most of the malicious commands while in Safe Mode takes little time, and the computer could then reboot again to Normal Mode, which would look less conspicuous since some Windows installation procedures are known to reboot PCs several times over.

Besides disabling security software installed on the PC, this attack scenario can be used to harvest login credentials from computers on the same network by utilizing the Pass-the-Hash attack.

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply