Generated docs from job=generate-docs branch=master [ci skip]

2023-06-26 21:55:02 +00:00
parent 8f8d90d9b1
commit e3aacfbaca
22 changed files with 105 additions and 21 deletions
@@ -66,6 +66,7 @@ defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
 defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
+defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
@@ -44,6 +44,7 @@ defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1564,Hide Artifacts,4,Create and Hide a Service with sc.exe,333c7de0-6fbe-42aa-ac2b-c7e40b18246a,command_prompt
+defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a78362e-b79a-4482-8e24-be397bce4d85,command_prompt
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
 defense-evasion,T1218.004,Signed Binary Proxy Execution: InstallUtil,1,CheckIfInstallable method call,ffd9c807-d402-47d2-879d-f915cf2a3a94,powershell
@@ -103,7 +103,8 @@
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
  - Atomic Test #1: Add Federation to Azure AD [azure-ad]
 - T1527 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.009 Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md)
+  - Atomic Test #1: Safe Mode Boot [windows]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
@@ -72,7 +72,8 @@
  - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
  - Atomic Test #4: Create and Hide a Service with sc.exe [windows]
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.009 Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md)
+  - Atomic Test #1: Safe Mode Boot [windows]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
  - Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
  - Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
@@ -37,7 +37,7 @@
 |  | [Software Deployment Tools](../../T1072/T1072.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) |  |
 |  | Mshta [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Escape to Host](../../T1611/T1611.md) | Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Query Registry](../../T1012/T1012.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | [Inter-Process Communication](../../T1559/T1559.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -28,7 +28,7 @@
 |  | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvcs/Regasm [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Windows Admin Shares [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hide Artifacts](../../T1564/T1564.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [Process Discovery](../../T1057/T1057.md) |  | [Data from Network Shared Drive](../../T1039/T1039.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
 |  | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | [Non-Standard Port](../../T1571/T1571.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
@@ -2537,7 +2537,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2564,6 +2564,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -4282,7 +4282,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -4309,7 +4309,19 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1562.009
+    atomic_tests:
+    - name: Safe Mode Boot
+      auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
+      description: Allows adversaries to abuse safe mode to disable endpoint defenses
+        that may not start with limited boot
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set safeboot network
+        cleanup_command: bcdedit /deletevalue {current} safeboot
+        name: command_prompt
+        elevation_required: true
  T1542.005:
    technique:
      x_mitre_platforms:
@@ -3055,7 +3055,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -3082,6 +3082,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2782,7 +2782,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2809,6 +2809,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -2441,7 +2441,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -2468,6 +2468,7 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
+      identifier: T1562.009
    atomic_tests: []
  T1542.005:
    technique:
@@ -3572,7 +3572,7 @@ defense-evasion:
        description: Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August
          30, 2021.
      modified: '2021-08-31T14:51:47.352Z'
-      name: Safe Mode Boot
+      name: 'Impair Defenses: Safe Boot Mode'
      description: |-
        Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

@@ -3599,7 +3599,19 @@ defense-evasion:
      - Anti-virus
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1562.009
+    atomic_tests:
+    - name: Safe Mode Boot
+      auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
+      description: Allows adversaries to abuse safe mode to disable endpoint defenses
+        that may not start with limited boot
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set safeboot network
+        cleanup_command: bcdedit /deletevalue {current} safeboot
+        name: command_prompt
+        elevation_required: true
  T1542.005:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,45 @@
+# T1562.009 - Impair Defenses: Safe Boot Mode
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/009)
+<blockquote>Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)
+
+Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)
+
+Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Safe Mode Boot](#atomic-test-1---safe-mode-boot)
+
+
+<br/>
+
+## Atomic Test #1 - Safe Mode Boot
+Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a78362e-b79a-4482-8e24-be397bce4d85
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+bcdedit /set safeboot network
+```
+
+#### Cleanup Commands:
+```cmd
+bcdedit /deletevalue {current} safeboot
+```
+
+
+
+
+
+<br/>