T1562.009 Splunk · SPL

Detect Safe Mode Boot in Splunk

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.009 Safe Mode Boot
Canonical reference
https://attack.mitre.org/techniques/T1562/009/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\bcdedit.exe" OR Image="*\\bootcfg.exe")
  (CommandLine="*safeboot*" OR CommandLine="*SAFEBOOT*" OR CommandLine="*/set*safeboot*")
| eval CommandLine=lower(CommandLine)
| eval IsSafeBootSet=if(match(CommandLine, "safeboot"), 1, 0)
| eval IsNetworkMode=if(match(CommandLine, "(safeboot\s+network|network)") AND match(CommandLine, "safeboot"), 1, 0)
| eval IsMinimalMode=if(match(CommandLine, "(safeboot\s+minimal|minimal)") AND match(CommandLine, "safeboot"), 1, 0)
| eval IsDeleteSafeBoot=if(match(CommandLine, "deletevalue.*safeboot"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsSafeBootSet, IsNetworkMode, IsMinimalMode, IsDeleteSafeBoot
| sort - _time
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    TargetObject="*SafeBoot\\*"
  | table _time, host, User, Image, TargetObject, Details
  | sort - _time
]
critical severity high confidence

Detects safe mode boot abuse using Sysmon logs. Monitors for bcdedit.exe and bootcfg.exe process creation (Event ID 1) with safeboot command-line arguments, and appends Sysmon Event ID 13 (Registry Value Set) events targeting SafeBoot registry keys. Distinguishes between network and minimal safe mode, and flags deletevalue operations that may indicate cleanup after safe mode encryption.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key ModificationSysmon Event ID 1Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • System administrators using bcdedit to troubleshoot boot issues or configure safe mode for maintenance windows
  • IT helpdesk technicians remotely booting endpoints into safe mode to remove stubborn malware or driver conflicts
  • Software installers that register themselves under SafeBoot registry keys as a legitimate minimal service
  • Endpoint management tools (SCCM, Intune) that use bcdedit in recovery scripts
Download portable Sigma rule (.yml)

Other platforms for T1562.009

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Safe Mode with Networking via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.

  2. Test 2Register Service in Safe Mode via Registry

    Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.

  3. Test 3Enable Minimal Safe Mode via bcdedit

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.

  4. Test 4Force Reboot After Safe Mode Configuration

    Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1112Modify RegistryT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1053.005Scheduled TaskT1059.001PowerShellT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections