Researchers at CyberArk Labs have described a method by which attackers could exploit Safe Mode on a PC to execute pass-the-hash attacks and other campaigns. The attack begins with an malicious hacker gaining local admin privileges on at least one machine on the corporate network. From there, hackers would need to look for vulnerable endpoints where they could reuse stolen login credentials to move laterally throughout the network. As soon as the user enters his or her credentials, a second update window can prompt the user to reboot yet again to move the machine back into the actual Normal Mode.”]
Source: https://grahamcluley.com/attacker-exploit-windows-safe-mode-steal-users-passwords/