Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Field | Description |
|---|---|
| SafeBootRegistryPaths | Customize monitored registry paths for safe mode service additions. |
| AllowedAdminTools | Whitelist legitimate administrative use of bcdedit/bootcfg for troubleshooting. |
| TimeWindow | Correlate registry modifications and boot configuration commands within a short timeframe. |