Suspicious BCDEdit Safe Mode Modification

Rule Info

Name
Suspicious BCDEdit Safe Mode Modification
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of BCDEdit to modify Windows boot configuration for Safe Mode with minimal services. In this configuration, Windows will only load the essential system services and drivers, and will not load any third-party software or drivers, including security programs like antivirus and EDRs. This technique is often used by attackers to disable or bypass security software, and is considered potentially malicious activity.
Reference
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
Date
2025-04-24 00:00:00
Modified
None
Id
9b232a44-5046-4691-a066-88ef3c084f1f
Tags
attack.defense-evasion attack.t1562.009
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022