Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0323: Analytic 0323

Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.

EnterpriseAN0323AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because changes to Windows boot configuration and Safe Mode behavior can affect whether security controls load during recovery or restart scenarios. For executives and security leaders, the decision value is not the tool name itself, but whether the organization can see and investigate suspicious boot configuration changes before they become an incident response blind spot.

Executive priority

Prioritize validation of Windows endpoint visibility around boot configuration changes and SafeBoot-related registry modifications. These events can influence resilience, recovery confidence, and audit evidence because they touch low-level system behavior that may affect defensive control availability. Leaders should ask whether SOC and IR teams can quickly identify who changed boot settings, on which systems, and whether those changes were authorized maintenance or suspicious persistence activity.

Technical view

For Windows environments, validate monitoring for suspicious use of boot configuration utilities such as bcdedit.exe and bootcfg.exe, correlated with registry edits under SafeBoot keys. Because the supplied ATT&CK object provides no official detection logic and no relationship context, teams should treat AN0323 as a detection design prompt: correlate process execution, command-line context where available, registry modification telemetry, user/session context, host role, and change timing. Tuning should account for legitimate administrative troubleshooting or recovery activity.

Likely telemetry

  • Windows process execution events for boot configuration utilities, including bcdedit.exe and bootcfg.exe
  • Command-line or process argument telemetry where collected
  • Windows registry modification events involving SafeBoot keys
  • Endpoint security or EDR events showing boot configuration changes
  • User, host, and administrative session context associated with the change

Detection direction

  • Confirm that endpoint telemetry captures both process execution and registry modification evidence on Windows systems; either source alone may be insufficient.
  • Correlate boot configuration utility execution with SafeBoot registry persistence changes to reduce noise and strengthen triage value.
  • Tune for known administrative recovery, imaging, troubleshooting, and maintenance workflows to reduce false positives.
  • Alert priority should increase when changes occur outside approved windows, on sensitive servers or administrator workstations, or without corresponding change records.
  • Because ATT&CK provides no official detection text for this analytic, detection engineering should document local assumptions, required data sources, and known blind spots.

Mitigation priorities

  • Restrict and monitor administrative privileges capable of modifying boot configuration and SafeBoot-related registry settings.
  • Require change control for boot configuration changes on managed Windows assets.
  • Ensure endpoint logging and EDR policies retain process, registry, and user context needed for investigation.
  • Include boot configuration and Safe Mode persistence checks in incident response triage for suspicious Windows hosts.
  • Validate recovery procedures so defensive controls and logging expectations are understood after restart or Safe Mode scenarios.
Analyst notes and limits

AN0323 is a Windows detection analytic focused on suspicious boot configuration changes and SafeBoot registry persistence. No ATT&CK tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation rather than claiming a specific attack chain.

This assessment is limited to the supplied official STIX fields, external reference, and lack of relationship context. It does not establish active exploitation, attribution, impact, or existing detection coverage. Local telemetry, asset criticality, administrative practices, and change-management evidence are required to determine operational risk and alert severity.

Official MITRE ATT&CK definition

Analytic 0323

Abuse of safe mode via BCD modification, boot configuration utilities (bcdedit.exe, bootcfg.exe), and registry persistence under SafeBoot keys. Defender view: suspicious boot configuration changes correlated with registry edits that enable adversary persistence or disable defenses.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
608043a0f9de155c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 608043a0f9de…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0323
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use