CyberArk a US cyber-security vendor published a recent research which reveals various attack scenarios which leverage Windows Safe Mode and carry out some malicious attacks undetected, extract PC credentials from the nearby workstations, or even disable security software.
The attack described was not a security vulnerability, but it is an exploitation case which can be done after a malicious actor has managed to compromise a PC and gain administrator privileges.
This hypothetical scenario is more than achievable because Windows computers get compromised with all sorts of malware on a daily basis, and various exploits are freely available to escalate privileges to admin level.
The reason the attack works is because Windows allows applications to prompt the user to restart the PC, and secretly force the restart in Safe Mode.
Safe Mode is important to an attacker because it prevents all third-party software from starting, including antivirus systems.
When the computer reboots in Safe Mode, an attacker could alter registry keys for applications such as antivirus and anti-malware toolkits, which are hands off in Normal Mode and would trigger a security alert.
An attacker with a foothold on an infected system could leverage this technique to disable antivirus software for good and make sure his presence remains undetected until he finishes whatever malicious tasks he wants to carry out.
Of course, the attack still relies on tricking users to allow the computer to reboot, and not being alarmed that they ended up in Safe Mode.
Executing most of the malicious commands while in Safe Mode takes little time, and the computer could then reboot again to Normal Mode, which would look less conspicuous since some Windows installation procedures are known to reboot PCs several times over.
Besides disabling security software installed on the PC, this attack scenario can be used to harvest login credentials from computers on the same network by utilizing the Pass-the-Hash attack.