Remote Safe Mode attack defeats Windows 10 pass-the-hash defenses

To avoid their password extraction tools from being detected or blocked, attackers can remotely reboot computers into Safe Mode

Microsoft tries to protect user account credentials from theft in Windows 10 Enterprise, and security products detect attempts to pilfer user passwords. But all those efforts can be undone by Safe Mode, according to security researchers.

The Safe Mode is an OS diagnostic mode of operation that has existed since Windows 95. It can be activated at boot time and only loads the minimal set of services and drivers that Windows requires to run.

This means that most third-party software, including security products, don't start in Safe Mode, negating the protection they otherwise offer. In addition, there are also Windows optional features like the Virtual Secure Module (VSM), which don't run in this mode.

VSM is a virtual machine container present in Windows 10 Enterprise that can be used to isolate critical services from the rest of the system, including the Local Security Authority Subsystem Service (LSASS). The LSASS handles user authentication. If VSM is active, not even administrative users can access the passwords or password hashes of other system users.

On Windows networks, attackers don't necessarily need plaintext passwords to access certain services. In many cases the authentication process relies on the password's cryptographic hash, so there are tools to extract such hashes from compromised Windows machines and use them to access other services.

This lateral movement technique is known as pass-the-hash and is one of attacks that Virtual Secure Module (VSM) was intended to protect against.

However, security researchers from CyberArk Software realized that since VSM and other security products that could block password extraction tools don't start in Safe Mode, attackers could use it to bypass defenses.

Meanwhile, there are ways to remotely force computers into Safe Mode without raising suspicions from users, CyberArk researcher Doron Naim said in a blog post.

To pull off such an attack, a hacker would first need to gain administrative access on the victim's computer, which is not that unusual in real-world security breaches.

Attackers use various techniques to infect computers with malware and then escalate their privileges by exploiting unpatched privilege escalation flaws or by using social engineering to trick users.

Once an attacker has admin privileges on a computer he can modify the OS's boot configuration to force it to automatically enter Safe Mode the next time it's started. He can then configure a rogue service or COM object to start in this mode, steal the password and then reboot the computer.

Windows normally displays indicators that the OS is in Safe Mode ,which could alert users, but there are ways around that, Naim said.

First, to force a reboot, the attacker could display a prompt similar to the one shown by Windows when a computer needs to be restarted to install pending updates. Then once in Safe Mode, the malicious COM object could change the desktop background and other elements to make it seem that the OS is still in normal mode, the researcher said.

If attackers want to capture a user's credentials, they need to let the user log in, but if their goal is only to execute a pass-the-hash attack, they can simply force a back-to-back restart which would be indistinguishable to the user, Naim said.

CyberArk reported the issue, but claims that Microsoft doesn't view it as a security vulnerability because attackers need to compromise the computer and gain administrative privileges in the first place.

While a patch might not be forthcoming, there are some mitigation steps that companies could take to protect themselves against such attacks, Naim said. These include removing local administrator privileges from standard users, rotating privileged account credentials to invalidate existing password hashes frequently, using security tools that function properly even in Safe Mode and adding mechanisms to be alerted when a machine boots in Safe Mode.

Join the CSO newsletter!

Error: Please check your email address.

More about CyberArkMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts