Introduction
In this article, we provide an in-depth analysis of the Not-Too-Safe Boot technique, which has been designed to bypass Endpoint Security Solutions like antivirus (AV), endpoint detection and response (EDR) and anti-tampering mechanisms remotely.
This method builds on a local execution technique first published in 2007 and later utilized in a real world scenario by a ransomware in 2019.
By leveraging native Windows functionalities, Not-Too-Safe Boot is a review of the original technique (that was used only locally) that enables attackers, with administrative privileges over the victim system, to remotely force to boot in safe mode and carry out malicious activities.
Background
The original method, to the best of our knowledge, was first documented in the paper “Win32/Bypass Abstract” published on PacketStorm more than 15 years ago.
As comented above, in 2019, a real world ransomware, the Snatch ransomware used a variant of this technique to bypass security measures, as reported by Sophos.
In response to the ever-changing threat landscape, the Not-Too-Safe Boot technique was developed to further exploit these weaknesses remotely.
Not-Too-Safe Boot: The Basics.
Not-Too-Safe Boot is a remote technique that leverages native Windows functionalities, making it 100% Living-off-the-Land (LotL).
It enables an attacker with administrative privileges to remotely force a system to start in safe mode, thereby disabling any AV, EDR or another cybersecurity solutions with antitampering mechanism and allowing them to perform various malicious actions.
Not-Too-Safe Boot: Attack Execution.
The following are the steps to implement the attack:
1.
Read more