* Create T1562.009.yaml
Details:
Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot. This is achieved by modifying Boot Configuration Data (BCD) stores, which are files that manage boot application settings. Applying the following command which requires elevated privileges, causes the sytsem to boot in safe mode at next startup or restart.
"bcdedit /set safeboot network"
Testing
Testing was successfully carried out on Win 10 x64.
Cleanup commands "bcdedit /deletevalue {current} safeboot" was used to restore boot to normal
Associated Issues
None.
* Update T1562.009.yaml
---------
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Atomic Red Team doc generator