Date: 18 May 2023

Descriptions

The original method was first documented in the paper “Win32/Bypass Abstract” published on PacketStorm more than 15 years ago. As commented above, in 2019, a real-world ransomware, the Snatch ransomware used a variant of this technique to bypass security measures, as reported by Sophos. The Not-Too-Safe Boot technique was developed to further exploit these weaknesses remotely.

Not-Too-Safe Boot is a remote technique that leverages native Windows functionalities, making it 100% Living-off-the-Land (LotL). It enables an attacker with administrative privileges to remotely force a system to start in safe mode, thereby disabling any AV, EDR, or another cybersecurity solutions with an antitampering mechanism and allowing them to perform various malicious actions.

The following are the steps to implement the attack:

1. Enable the “remote registry” service

2. Force write permissions on the BCD00000000 registry branch

3. Remotely write the necessary registry entries

4. Initiate a system reboot

5. Gain remote access and execute commands

Reference

https://zerodayzone.com/2023/05/12/not-too-safe-boot-remotely-bypassing-endpoint-security-solutions-av-edr-and-anti-tampering-mechanisms/