DET0116 Detection Strategy for Safe Mode Boot Abuse

Item	Value
ID	DET0116
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1562.009 (Safe Mode Boot)

Analytics

Windows

AN0323

Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
Windows Registry Key Creation (DC0056)	WinEventLog:Sysmon	EventCode=12

Mutable Elements

Field	Description
SafeBootRegistryPaths	Customize monitored registry paths for safe mode service additions.
AllowedAdminTools	Whitelist legitimate administrative use of bcdedit/bootcfg for troubleshooting.
TimeWindow	Correlate registry modifications and boot configuration commands within a short timeframe.