Bypass Record

Safe-Mode Boot × Microsoft Windows Defender

A publicly-reported instance of Safe-Mode Boot bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Safe-Mode Boot

MITRE ATT&CK

T1562.009

Confidence

High

Severity

High

Status

poc

Disclosed

2024-09-25

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-09-25 · original source · via exa

Reported as

Python script automates booting into Windows Safe Mode to disable Windows Defender services and scheduled tasks, effectively bypassing tamper protection.

Mechanism

The script uses bcdedit to enable Safe Mode boot, reboots the system, then stops Windows Defender services (e.g., WinDefend, WdNisSvc) and disables related scheduled tasks while in Safe Mode. It then reverts to normal boot. This bypasses tamper protection because Defender's self-protection mechanisms are not fully active in Safe Mode.

Detection & mitigation

Monitor for bcdedit commands setting safeboot options (e.g., 'bcdedit /set {current} safeboot minimal') and unexpected reboots into Safe Mode. Mitigate by restricting administrative privileges and enabling Windows Defender tamper protection with strong policies.

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.