title: Safe Mode Boot (T1562.009)
id: df00tech-t1562-009
status: experimental
description: "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores using bcdedit. Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values. This technique has been used by multiple ransomware families including REvil, Black Basta, LockBit 3.0, AvosLocker, Qilin, and RansomHub to encrypt files while EDR tools are inactive."
references:
  - https://attack.mitre.org/techniques/T1562/009/
  - https://df00tech.com/detections/T1562.009
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators using bcdedit to troubleshoot boot issues or configure safe mode for maintenance windows
  - IT helpdesk technicians remotely booting endpoints into safe mode to remove stubborn malware or driver conflicts
  - Software installers that register themselves under SafeBoot registry keys as a legitimate minimal service (rare but possible with driver installers)
  - Windows Update or BIOS firmware updates that temporarily modify BCD settings during a planned update cycle
level: critical