A security researcher has uncovered a way that allows attackers to abuse a Windows 10 Safe Mode issue to steal account information.
Windows 10 Safe Mode Can Be Compromised
Security expert Doron Naim has demonstrated an issue that allows criminals to abuse the Windows 10 Safe Mode feature to steal login information from the victim computers. The scenario involves physical access to the target machine. When the malicious user accesses the Safe Mode feature of the Windows Operating system, he can operate in a more insecure environment.
The Safe Mode environment has been designed to restrict most third-party software from running which includes the security tools. As a result, criminals can use the mode to disable and evade the various defenses that have been configured on the victim machines.
They can use attempt privilege escalation using an exploit. When that has occurred, the criminals can further defend themselves from threat prevention tools by modifying the system and disabling key security features that are built into the operating systems as well as any third-party security applications. Compromised machines can be used to create network attacks.
The attackers can use a simple 3-step scenario to exploit machines with physical access using this strategy:
- Reboot into Safe Mode
- Set up attack tools that can load in Safe Mode
- Force reboot the machine and exploit it with the installed payload
Attackers can also use remotely configure a machine to boot in safe mode. This can be done using the boot command control tool that is built into Windows. The remote attacker can ensure that their malicious payload can run in the Safe Mode environment by using one of these tactics:
- Malicious Service Setup – Attackers configure their tools to run as a service.
- Malicious COM Object – The attackers register malicious COM objects that are loaded by the explorer.exe executable. This allows the code to run each time explorer.exe parses the icons which works even in Safe Mode.
The attackers can also stealth themselves by using various counterfeit alerts and other related methods of evasion. Other possibilities include credentials theft and code injection into system applications.
There are ways to counter attacks that use this strategy. The security expert recommends the following:
- Proactively Rotate Privileged Account Credentials – This can be used to automate the defensive precautions that can evade pass-the-hack attacks.
- Use Security Tools That Operate in Safe Mode – There are endpoint protection tools that can work even in Safe Mode. Organizations should invest in them to protect themselves from such attacks.
- Monitor Safe Mode Usage – System administrators should use the Event Log and analyze Safe Mode events and operations on all computers for signs of intrusion.
Enforce the least privilege principle – System administrators can remove the local administrator privileges from the standard users which can help to mitigate the exploit.