T1562.009 Elastic Security · Elastic

Detect Safe Mode Boot in Elastic Security

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.009 Safe Mode Boot
Canonical reference
https://attack.mitre.org/techniques/T1562/009/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where (
    (process.name : "bcdedit.exe" and
      process.args : ("safeboot", "/set", "network", "minimal", "{current}", "{default}")
    ) or
    (process.name : "bootcfg.exe" and
      process.args : ("/raw") and process.args : ("safeboot", "/SAFEBOOT")
    ) or
    (event.category : "registry" and event.type : ("creation", "change") and
      registry.path : ("*SafeBoot\\Minimal\\*", "*SafeBoot\\Network\\*")
    )
  )
]
| head 500

OR

sequence by host.name with maxspan=1m
[
  process where event.type == "start" and
    process.name : "bcdedit.exe" and
    process.args : "safeboot"
]
[
  process where event.type == "start" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
]
critical severity high confidence

Detects adversaries abusing Windows Safe Mode Boot to disable endpoint defenses (T1562.009). Monitors for bcdedit.exe or bootcfg.exe invocations with safeboot parameters, as well as registry modifications to SafeBoot\Minimal or SafeBoot\Network keys. Heavily used by ransomware families (REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, RansomHub) to disable EDR tools before encryption.

Data Sources

Elastic Endpoint SecurityWindows Event LogsSysmon via Winlogbeat

Required Tables

processregistry

False Positives & Tuning

  • System administrators legitimately using bcdedit.exe to configure boot options for troubleshooting or driver debugging sessions
  • Enterprise imaging pipelines or MDT/SCCM task sequences that configure safe mode as part of system provisioning workflows
  • IT support staff booting systems into safe mode to remove malware or repair Windows installations in controlled helpdesk workflows
Download portable Sigma rule (.yml)

Other platforms for T1562.009

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Safe Mode with Networking via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.

  2. Test 2Register Service in Safe Mode via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.

  3. Test 3Enable Minimal Safe Mode via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.

  4. Test 4Force Reboot After Safe Mode Configuration

    Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1112Modify RegistryT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1053.005Scheduled TaskT1059.001PowerShellT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections