T1562.009 Safe Mode Boot Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let BcdEditSafeMode = dynamic([
  "safeboot", "safebootalternateshell",
  "{current}", "{default}"
]);
let SafeModeRegistryPaths = dynamic([
  "SafeBoot\\Minimal",
  "SafeBoot\\Network"
]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "bcdedit.exe"
  | where ProcessCommandLine has_any ("safeboot", "/set", "network", "minimal")
  | extend IsSafeBootSet = ProcessCommandLine has "safeboot"
  | extend IsNetworkMode = ProcessCommandLine has "network"
  | extend IsDeleteSafeBoot = ProcessCommandLine has "deletevalue" and ProcessCommandLine has "safeboot"
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           IsSafeBootSet, IsNetworkMode, IsDeleteSafeBoot
),
(
  DeviceRegistryEvents
  | where Timestamp > ago(24h)
  | where RegistryKey has_any (SafeModeRegistryPaths)
  | where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
  | project Timestamp, DeviceName, AccountName,
           RegistryKey, RegistryValueName, RegistryValueData,
           InitiatingProcessFileName, InitiatingProcessCommandLine,
           ActionType
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "bootcfg.exe"
  | where ProcessCommandLine has "/raw" and ProcessCommandLine has_any ("safeboot", "/SAFEBOOT")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine
)
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

System administrators using bcdedit to troubleshoot boot issues or configure safe mode for maintenance windows
IT helpdesk technicians remotely booting endpoints into safe mode to remove stubborn malware or driver conflicts
Software installers that register themselves under SafeBoot registry keys as a legitimate minimal service (rare but possible with driver installers)
Windows Update or BIOS firmware updates that temporarily modify BCD settings during a planned update cycle

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\bcdedit.exe" OR Image="*\\bootcfg.exe")
  (CommandLine="*safeboot*" OR CommandLine="*SAFEBOOT*" OR CommandLine="*/set*safeboot*")
| eval CommandLine=lower(CommandLine)
| eval IsSafeBootSet=if(match(CommandLine, "safeboot"), 1, 0)
| eval IsNetworkMode=if(match(CommandLine, "(safeboot\s+network|network)") AND match(CommandLine, "safeboot"), 1, 0)
| eval IsMinimalMode=if(match(CommandLine, "(safeboot\s+minimal|minimal)") AND match(CommandLine, "safeboot"), 1, 0)
| eval IsDeleteSafeBoot=if(match(CommandLine, "deletevalue.*safeboot"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsSafeBootSet, IsNetworkMode, IsMinimalMode, IsDeleteSafeBoot
| sort - _time
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    TargetObject="*SafeBoot\\*"
  | table _time, host, User, Image, TargetObject, Details
  | sort - _time
]

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators using bcdedit to troubleshoot boot issues or configure safe mode for maintenance windows
IT helpdesk technicians remotely booting endpoints into safe mode to remove stubborn malware or driver conflicts
Software installers that register themselves under SafeBoot registry keys as a legitimate minimal service
Endpoint management tools (SCCM, Intune) that use bcdedit in recovery scripts

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    (process.name : "bcdedit.exe" and
      process.args : ("safeboot", "/set", "network", "minimal", "{current}", "{default}")
    ) or
    (process.name : "bootcfg.exe" and
      process.args : ("/raw") and process.args : ("safeboot", "/SAFEBOOT")
    ) or
    (event.category : "registry" and event.type : ("creation", "change") and
      registry.path : ("*SafeBoot\\Minimal\\*", "*SafeBoot\\Network\\*")
    )
  )
]
| head 500

OR

sequence by host.name with maxspan=1m
[
  process where event.type == "start" and
    process.name : "bcdedit.exe" and
    process.args : "safeboot"
]
[
  process where event.type == "start" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
]

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Event Logs Sysmon via Winlogbeat

Required Tables

process registry

False Positives

System administrators legitimately using bcdedit.exe to configure boot options for troubleshooting or driver debugging sessions
Enterprise imaging pipelines or MDT/SCCM task sequences that configure safe mode as part of system provisioning workflows
IT support staff booting systems into safe mode to remove malware or repair Windows installations in controlled helpdesk workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Computer Name" AS host_name,
  "Process Name" AS process_name,
  "Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352, 382)
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      LOWER("Process Name") LIKE '%bcdedit.exe'
      AND (
        LOWER("Command Line") LIKE '%safeboot%'
        OR LOWER("Command Line") LIKE '%/set%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%bootcfg.exe'
      AND LOWER("Command Line") LIKE '%safeboot%'
    )
    OR (
      LOWER("Object Name") LIKE '%safeboot\\minimal%'
      OR LOWER("Object Name") LIKE '%safeboot\\network%'
    )
  )
ORDER BY devicetime DESC
LIMIT 500

critical severity medium confidence

Data Sources

Windows Security Event Log Sysmon Event Log Microsoft Endpoint

Required Tables

events

False Positives

Administrators using bcdedit.exe to configure network boot or PXE settings in enterprise environments with legitimate diagnostic workflows
Automated backup or disaster recovery tools that configure boot settings to ensure recovery modes are accessible
Windows Subsystem for Linux (WSL) or Hyper-V configuration scripts that modify BCD settings as part of virtualization setup

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(bcdedit|bootcfg)/
| parse regex field=_raw "(?i)CommandLine[\s\S]*?(?P<command_line>[^\r\n]{0,500})" nodrop
| parse regex field=_raw "(?i)Image[\s\S]*?(?P<process_image>[^\r\n]{0,300})" nodrop
| parse regex field=_raw "(?i)TargetObject[\s\S]*?(?P<registry_key>[^\r\n]{0,500})" nodrop
| parse regex field=_raw "(?i)User[\s\S]*?(?P<user_name>[^\r\n]{0,100})" nodrop
| parse regex field=_raw "(?i)Computer[\s\S]*?(?P<computer_name>[^\r\n]{0,100})" nodrop
| where (
    (toLowerCase(process_image) matches "*bcdedit.exe*" AND (
      toLowerCase(command_line) matches "*safeboot*" OR
      toLowerCase(command_line) matches "*/set*"
    )) OR
    (toLowerCase(process_image) matches "*bootcfg.exe*" AND
      toLowerCase(command_line) matches "*safeboot*"
    ) OR
    (
      toLowerCase(registry_key) matches "*safeboot\\minimal*" OR
      toLowerCase(registry_key) matches "*safeboot\\network*"
    )
  )
| eval is_safeboot_set = if(toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_network_mode = if(toLowerCase(command_line) matches "*network*" AND toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_minimal_mode = if(toLowerCase(command_line) matches "*minimal*" AND toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_delete = if(toLowerCase(command_line) matches "*deletevalue*safeboot*", 1, 0)
| fields _messageTime, computer_name, user_name, process_image, command_line, registry_key, is_safeboot_set, is_network_mode, is_minimal_mode, is_delete
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Event Logs via Installed Collector Sysmon via Sumo Logic Collector Carbon Black via Sumo Logic App

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Windows administrators using bcdedit to configure debugging boot options (e.g., kernel debugging with /debug) that also reference safe mode parameters
Automated recovery partitions or OEM tools that set safe mode boot flags as part of scheduled hardware diagnostics
Security testing tools or red team exercises that validate safe mode boot restrictions as part of authorized assessments

Google Chronicle / SecOps

yaral

rule t1562_009_safe_mode_boot {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.009 - Safe Mode Boot abuse. Adversaries use bcdedit.exe or bootcfg.exe to configure Windows safe mode, disabling EDR tools before ransomware execution. Covers both process execution and SafeBoot registry key modifications."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.009"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1562/009/"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.principal.process.file.full_path, `(?i)bcdedit\.exe$`)
        or re.regex($e.principal.process.file.full_path, `(?i)bootcfg\.exe$`)
      )
      and re.regex($e.target.process.command_line, `(?i)safeboot`)
    )
    or (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i)SafeBoot\\(Minimal|Network)`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs forwarded to Chronicle Sysmon via Chronicle Forwarder

Required Tables

UDM Events - PROCESS_LAUNCH UDM Events - REGISTRY_MODIFICATION

False Positives

IT administrators running bcdedit for legitimate boot configuration changes during planned maintenance windows
Enterprise deployment tools (SCCM, MDT) that programmatically configure boot settings during OS deployment sequences
Windows Recovery Environment (WinRE) automation scripts that configure safe mode entries for disaster recovery purposes

CrowdStrike LogScale (CQL)

cql

// T1562.009 - Safe Mode Boot: bcdedit/bootcfg safe mode configuration
#event_simpleName=ProcessRollup2
| FileName = /(?i)bcdedit\.exe|bootcfg\.exe/
| CommandLine = /(?i)safeboot/
| eval is_safeboot_set = if(CommandLine = /(?i)safeboot/, "true", "false")
| eval is_network_mode = if(CommandLine = /(?i)network/ AND CommandLine = /(?i)safeboot/, "true", "false")
| eval is_minimal_mode = if(CommandLine = /(?i)minimal/ AND CommandLine = /(?i)safeboot/, "true", "false")
| eval is_delete = if(CommandLine = /(?i)deletevalue.*safeboot/, "true", "false")
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, is_safeboot_set, is_network_mode, is_minimal_mode, is_delete])
| sort(field=_timeutc, order=desc)
| limit 500

// Secondary: Registry modifications to SafeBoot keys
// Run as separate search:
// #event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegValueUpdate
// | RegObjectName = /(?i)SafeBoot\\(Minimal|Network)/
// | table([_timeutc, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, FileName, CommandLine])
// | sort(field=_timeutc, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor CrowdStrike Event Stream Falcon Data Replicator

Required Tables

ProcessRollup2 RegGenericValueUpdate RegValueUpdate

False Positives

System administrators using bcdedit to configure boot debugging (/bootdebug, /testsigning) where command lines incidentally reference boot configuration parameters near safeboot entries
Group Policy preferences or logon scripts that configure safe mode for specific kiosk or lab machine recovery scenarios
Vendor-supplied diagnostics tools for specific hardware (e.g., RAID controllers, NIC firmware updaters) that modify BCD entries as part of their update workflow

Safe Mode Boot

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections