Detect Safe Mode Boot in Sumo Logic CSE
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.009 Safe Mode Boot
- Canonical reference
- https://attack.mitre.org/techniques/T1562/009/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(bcdedit|bootcfg)/
| parse regex field=_raw "(?i)CommandLine[\s\S]*?(?P<command_line>[^\r\n]{0,500})" nodrop
| parse regex field=_raw "(?i)Image[\s\S]*?(?P<process_image>[^\r\n]{0,300})" nodrop
| parse regex field=_raw "(?i)TargetObject[\s\S]*?(?P<registry_key>[^\r\n]{0,500})" nodrop
| parse regex field=_raw "(?i)User[\s\S]*?(?P<user_name>[^\r\n]{0,100})" nodrop
| parse regex field=_raw "(?i)Computer[\s\S]*?(?P<computer_name>[^\r\n]{0,100})" nodrop
| where (
(toLowerCase(process_image) matches "*bcdedit.exe*" AND (
toLowerCase(command_line) matches "*safeboot*" OR
toLowerCase(command_line) matches "*/set*"
)) OR
(toLowerCase(process_image) matches "*bootcfg.exe*" AND
toLowerCase(command_line) matches "*safeboot*"
) OR
(
toLowerCase(registry_key) matches "*safeboot\\minimal*" OR
toLowerCase(registry_key) matches "*safeboot\\network*"
)
)
| eval is_safeboot_set = if(toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_network_mode = if(toLowerCase(command_line) matches "*network*" AND toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_minimal_mode = if(toLowerCase(command_line) matches "*minimal*" AND toLowerCase(command_line) matches "*safeboot*", 1, 0)
| eval is_delete = if(toLowerCase(command_line) matches "*deletevalue*safeboot*", 1, 0)
| fields _messageTime, computer_name, user_name, process_image, command_line, registry_key, is_safeboot_set, is_network_mode, is_minimal_mode, is_delete
| sort by _messageTime descDetects T1562.009 Safe Mode Boot abuse in Sumo Logic by identifying bcdedit.exe/bootcfg.exe processes configured to enable safe mode and registry modifications to SafeBoot key paths used by ransomware families to disable EDR tools. Covers both Safe Mode and Safe Mode with Networking variants.
Data Sources
Required Tables
False Positives & Tuning
- Windows administrators using bcdedit to configure debugging boot options (e.g., kernel debugging with /debug) that also reference safe mode parameters
- Automated recovery partitions or OEM tools that set safe mode boot flags as part of scheduled hardware diagnostics
- Security testing tools or red team exercises that validate safe mode boot restrictions as part of authorized assessments
Other platforms for T1562.009
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Safe Mode with Networking via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot network'. Security Event ID 4688 (if command line auditing enabled). DeviceProcessEvents in MDE.
- Test 2Register Service in Safe Mode via Registry
Expected signal: Sysmon Event ID 12: Registry Key Created for HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\df00tech-test-svc. Sysmon Event ID 13: Registry Value Set with TargetObject showing the key and Details='Service'. DeviceRegistryEvents in MDE.
- Test 3Enable Minimal Safe Mode via bcdedit
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set {current} safeboot minimal'. DeviceProcessEvents in MDE with FileName=bcdedit.exe.
- Test 4Force Reboot After Safe Mode Configuration
Expected signal: Sysmon Event ID 1: Two process creation events — bcdedit.exe and shutdown.exe. System Event ID 1074: Shutdown initiated with reason 'df00tech safe mode test'. After reboot, System Event ID 6005/6006 showing safe mode startup.
References (7)
- https://attack.mitre.org/techniques/T1562/009/
- https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise
- https://www.cybereason.com/blog/medusalocker-ransomware
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md
Unlock Pro Content
Get the full detection package for T1562.009 including response playbook, investigation guide, and atomic red team tests.