manipulate safe mode programs

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: manipulate safe mode programs
    namespace: host-interaction/bootloader
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009]
    examples:
      - 3446b3889a52d81119d8c482a2a282b9:0x409AA8
  features:
    - and:
      - os: windows
      - or:
        - substring: "Control\\SafeBoot\\Minimal\\"
          description: registry key for safe mode, no networking
        - substring: "Control\\SafeBoot\\Network\\"
          description: registry key for safe mode, with networking

last edited: 2023-11-24 10:34:28