Detect Safe Mode Boot in CrowdStrike LogScale
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.009 Safe Mode Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1562/009/
LogScale Detection Query
// T1562.009 - Safe Mode Boot: bcdedit/bootcfg safe mode configuration
#event_simpleName=ProcessRollup2
| FileName = /(?i)bcdedit\.exe|bootcfg\.exe/
| CommandLine = /(?i)safeboot/
| eval is_safeboot_set = if(CommandLine = /(?i)safeboot/, "true", "false")
| eval is_network_mode = if(CommandLine = /(?i)network/ AND CommandLine = /(?i)safeboot/, "true", "false")
| eval is_minimal_mode = if(CommandLine = /(?i)minimal/ AND CommandLine = /(?i)safeboot/, "true", "false")
| eval is_delete = if(CommandLine = /(?i)deletevalue.*safeboot/, "true", "false")
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, is_safeboot_set, is_network_mode, is_minimal_mode, is_delete])
| sort(field=_timeutc, order=desc)
| limit 500
// Secondary: Registry modifications to SafeBoot keys
// Run as separate search:
// #event_simpleName=RegGenericValueUpdate OR #event_simpleName=RegValueUpdate
// | RegObjectName = /(?i)SafeBoot\\(Minimal|Network)/
// | table([_timeutc, ComputerName, UserName, RegObjectName, RegValueName, RegStringValue, FileName, CommandLine])
// | sort(field=_timeutc, order=desc)CrowdStrike LogScale (CQL) detection for T1562.009 Safe Mode Boot abuse. Queries ProcessRollup2 events for bcdedit.exe and bootcfg.exe invocations containing safeboot parameters, and registry events targeting SafeBoot\Minimal or SafeBoot\Network keys. Ransomware groups (REvil, LockBit 3.0, Black Basta) use this to bypass Falcon sensor and other EDR tools during encrypted file operations.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using bcdedit to configure boot debugging (/bootdebug, /testsigning) where command lines incidentally reference boot configuration parameters near safeboot entries
- Group Policy preferences or logon scripts that configure safe mode for specific kiosk or lab machine recovery scenarios
- Vendor-supplied diagnostics tools for specific hardware (e.g., RAID controllers, NIC firmware updaters) that modify BCD entries as part of their update workflow
Other platforms for T1562.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Safe Mode with Networking via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.
- Test 2Register Service in Safe Mode via Registry
Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.
- Test 3Enable Minimal Safe Mode via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.
- Test 4Force Reboot After Safe Mode Configuration
Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.
References (7)
- https://attack.mitre.org/techniques/T1562/009/
- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise
- https://www.cybereason.com/blog/medusalocker-ransomware
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md
Unlock Pro Content
Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.