T1562.009 Google Chronicle · YARA-L

Detect Safe Mode Boot in Google Chronicle

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.009 Safe Mode Boot
Canonical reference
https://attack.mitre.org/techniques/T1562/009/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1562_009_safe_mode_boot {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.009 - Safe Mode Boot abuse. Adversaries use bcdedit.exe or bootcfg.exe to configure Windows safe mode, disabling EDR tools before ransomware execution. Covers both process execution and SafeBoot registry key modifications."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.009"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1562/009/"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.principal.process.file.full_path, `(?i)bcdedit\.exe$`)
        or re.regex($e.principal.process.file.full_path, `(?i)bootcfg\.exe$`)
      )
      and re.regex($e.target.process.command_line, `(?i)safeboot`)
    )
    or (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i)SafeBoot\\(Minimal|Network)`)
      )
    )

  condition:
    $e
}
critical severity high confidence

Google Chronicle YARA-L 2.0 rule detecting T1562.009 Safe Mode Boot abuse. Monitors PROCESS_LAUNCH events for bcdedit.exe or bootcfg.exe with safeboot arguments, and REGISTRY_MODIFICATION events targeting SafeBoot\Minimal or SafeBoot\Network registry paths used by ransomware families to disable EDR during reboot.

Data Sources

Google Chronicle UDMWindows Event Logs forwarded to ChronicleSysmon via Chronicle Forwarder

Required Tables

UDM Events - PROCESS_LAUNCHUDM Events - REGISTRY_MODIFICATION

False Positives & Tuning

  • IT administrators running bcdedit for legitimate boot configuration changes during planned maintenance windows
  • Enterprise deployment tools (SCCM, MDT) that programmatically configure boot settings during OS deployment sequences
  • Windows Recovery Environment (WinRE) automation scripts that configure safe mode entries for disaster recovery purposes
Download portable Sigma rule (.yml)

Other platforms for T1562.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Safe Mode with Networking via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.

  2. Test 2Register Service in Safe Mode via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.

  3. Test 3Enable Minimal Safe Mode via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.

  4. Test 4Force Reboot After Safe Mode Configuration

    Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1112Modify RegistryT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1053.005Scheduled TaskT1059.001PowerShellT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections