for execute the attack, the attacker needs to gain local administrative rights to the PC or server.
Once they get the access, they can modify the registry to force a reboot into Safe Mode.
They could then create attack tools that run in Safe Mode.
Attackers can register a malicious COM object that is loaded by explorer.exe.
This enables that attackers code to run each time the explorer.exe needs to parse icons, CyberArk describes.
source: www.techworm.net
