Impair Defenses: Safe Mode Boot

Other sub-techniques of Impair Defenses (13)

ID	Name
ATAGS-T1097.001	Triggering the clear mode
ATAGS-T1097.002	Disable or Modify Cloud Firewall
ATAGS-T1097.003	Disable or Modify Cloud Logs
ATAGS-T1097.004	Disable or Modify Linux Audit System
ATAGS-T1097.005	Disable or Modify Network Device Firewall
ATAGS-T1097.006	Disable or Modify System Firewall
ATAGS-T1097.007	Disable or Modify Tools
ATAGS-T1097.008	Disable Windows Event Logging
ATAGS-T1097.009	Downgrade Attack
ATAGS-T1097.010	Impair Command History Logging
ATAGS-T1097.011	Indicator Blocking
ATAGS-T1097.012	Safe Mode Boot
ATAGS-T1097.013	Spoof Security Alerting

Threat Actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.

ID: ATAGS-T1097.012

Sub-technique of: ATAGS-T1097

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.