T1562.009 IBM QRadar · QRadar

Detect Safe Mode Boot in IBM QRadar

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.009 Safe Mode Boot
Canonical reference
https://attack.mitre.org/techniques/T1562/009/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Computer Name" AS host_name,
  "Process Name" AS process_name,
  "Command Line" AS command_line,
  "Parent Process Name" AS parent_process,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352, 382)
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      LOWER("Process Name") LIKE '%bcdedit.exe'
      AND (
        LOWER("Command Line") LIKE '%safeboot%'
        OR LOWER("Command Line") LIKE '%/set%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%bootcfg.exe'
      AND LOWER("Command Line") LIKE '%safeboot%'
    )
    OR (
      LOWER("Object Name") LIKE '%safeboot\\minimal%'
      OR LOWER("Object Name") LIKE '%safeboot\\network%'
    )
  )
ORDER BY devicetime DESC
LIMIT 500
critical severity medium confidence

Detects T1562.009 Safe Mode Boot abuse in IBM QRadar by identifying bcdedit.exe or bootcfg.exe processes with safeboot-related command-line arguments, and registry events targeting SafeBoot\Minimal or SafeBoot\Network keys. Ransomware operators use this to evade EDR tools that do not load during safe mode.

Data Sources

Windows Security Event LogSysmon Event LogMicrosoft Endpoint

Required Tables

events

False Positives & Tuning

  • Administrators using bcdedit.exe to configure network boot or PXE settings in enterprise environments with legitimate diagnostic workflows
  • Automated backup or disaster recovery tools that configure boot settings to ensure recovery modes are accessible
  • Windows Subsystem for Linux (WSL) or Hyper-V configuration scripts that modify BCD settings as part of virtualization setup
Download portable Sigma rule (.yml)

Other platforms for T1562.009

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Safe Mode with Networking via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.

  2. Test 2Register Service in Safe Mode via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.

  3. Test 3Enable Minimal Safe Mode via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.

  4. Test 4Force Reboot After Safe Mode Configuration

    Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1112Modify RegistryT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1053.005Scheduled TaskT1059.001PowerShellT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections