Detect Safe Mode Boot in Microsoft Sentinel
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.009 Safe Mode Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1562/009/
KQL Detection Query
let BcdEditSafeMode = dynamic([
"safeboot", "safebootalternateshell",
"{current}", "{default}"
]);
let SafeModeRegistryPaths = dynamic([
"SafeBoot\\Minimal",
"SafeBoot\\Network"
]);
union
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bcdedit.exe"
| where ProcessCommandLine has_any ("safeboot", "/set", "network", "minimal")
| extend IsSafeBootSet = ProcessCommandLine has "safeboot"
| extend IsNetworkMode = ProcessCommandLine has "network"
| extend IsDeleteSafeBoot = ProcessCommandLine has "deletevalue" and ProcessCommandLine has "safeboot"
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine,
IsSafeBootSet, IsNetworkMode, IsDeleteSafeBoot
),
(
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (SafeModeRegistryPaths)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceName, AccountName,
RegistryKey, RegistryValueName, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ActionType
),
(
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bootcfg.exe"
| where ProcessCommandLine has "/raw" and ProcessCommandLine has_any ("safeboot", "/SAFEBOOT")
| project Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine
)
| sort by Timestamp descDetects safe mode boot abuse through three vectors: (1) bcdedit.exe commands that set safeboot mode (minimal or network), (2) registry modifications to SafeBoot\Minimal or SafeBoot\Network keys to register malicious services that persist in safe mode, and (3) legacy bootcfg.exe commands. Covers the full ransomware kill chain pattern where adversaries configure safe mode boot, register their payload as a safe-mode service, and force a reboot to encrypt files while EDR is disabled.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using bcdedit to troubleshoot boot issues or configure safe mode for maintenance windows
- IT helpdesk technicians remotely booting endpoints into safe mode to remove stubborn malware or driver conflicts
- Software installers that register themselves under SafeBoot registry keys as a legitimate minimal service (rare but possible with driver installers)
- Windows Update or BIOS firmware updates that temporarily modify BCD settings during a planned update cycle
Other platforms for T1562.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Safe Mode with Networking via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.
- Test 2Register Service in Safe Mode via Registry
Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.
- Test 3Enable Minimal Safe Mode via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.
- Test 4Force Reboot After Safe Mode Configuration
Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.
References (7)
- https://attack.mitre.org/techniques/T1562/009/
- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise
- https://www.cybereason.com/blog/medusalocker-ransomware
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md
Unlock Pro Content
Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.