T1688: Safe Mode Boot
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.[1][2]
Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.[3]
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.[4][5][6]
Analyst context for executives and security teams
Safe Mode Boot matters because it can turn a Windows reboot into a defensive blind spot. If an attacker can force a host into Safe Mode, endpoint security tools may not load, giving ransomware or other malicious software a window to operate with reduced monitoring. For leaders, this is less about Safe Mode itself and more about whether critical Windows systems remain observable and controllable during abnormal boot states.
Executive priority
Prioritize this technique where Windows endpoints or servers support business-critical operations. ATT&CK links this behavior to multiple ransomware software entries, so resilience planning should ask: who can change boot configuration, can the SOC see those changes before reboot, and will incident responders know when an endpoint defense outage is caused by Safe Mode rather than a routine agent failure? This is also useful audit evidence for privileged access control, endpoint configuration governance, and ransomware readiness.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around Windows Boot Configuration Data changes, Safe Mode-related Registry modifications, and endpoint security service state after reboot. The object is in the defense-impairment tactic and applies to Windows. MITRE does not provide official detection text here, but relationship context identifies DET0116, Detection Strategy for Safe Mode Boot Abuse, as relevant. Detection should focus on suspicious privileged changes to boot settings, additions of services or COM-related components that can load in Safe Mode, and the sequence of configuration change followed by reboot and reduced security-tool visibility.
Likely telemetry
- Windows process execution and command-line telemetry for boot-configuration utilities or other tools modifying boot settings
- Windows Registry modification events for Safe Mode service start configuration and related persistence locations described by the technique
- Privileged account activity and administrative change logs tied to boot or system configuration changes
- System reboot, startup mode, and service start/stop events
- Endpoint protection or EDR health telemetry showing agents, drivers, or services failing to start after reboot
Detection direction
- Map and evaluate DET0116 if available in the detection library, then test whether it covers BCD changes, Safe Mode-related Registry changes, and post-reboot security control degradation.
- Correlate privileged configuration changes with near-term reboot events and endpoint protection service gaps; this sequence is more meaningful than any single event alone.
- Tune for legitimate administrative recovery, troubleshooting, and maintenance activity, which can otherwise create false positives.
- Treat unexplained endpoint telemetry loss after reboot as an investigation trigger, especially when preceded by boot or Registry changes.
- Update ATT&CK mappings from revoked T1562.009 to T1688 so reporting, detections, and coverage metrics remain current.
Mitigation priorities
- Use M1026 Privileged Account Management first: restrict and monitor who can make boot, Registry, and system configuration changes on Windows systems.
- Use M1054 Software Configuration to review endpoint security and system settings so protective services are configured as robustly as supported during abnormal startup conditions.
- Require change control and logging for boot configuration changes on critical Windows assets.
- Include Safe Mode abuse scenarios in ransomware tabletop exercises and IR runbooks, including how analysts confirm whether a host is intentionally or maliciously in Safe Mode.
- Review whether endpoint defense health monitoring alerts on unexpected agent absence after reboot, not just malware detections.
Analyst notes and limits
This technique was created as T1688 and supersedes the revoked T1562.009 Safe Mode Boot entry. Relationship context shows use by several ransomware software entries, including REvil, AvosLocker, Black Basta, LockBit 3.0, RansomHub, Qilin, and Embargo, but that does not by itself establish current activity in any specific environment. The strongest defensive value is validating visibility and control around privileged boot-state changes.
MITRE provides no official detection text for this object, so detection guidance is derived from the official behavior description and listed relationships. Local validation is required to confirm which Windows logs, EDR events, Registry auditing, and boot configuration telemetry are actually collected and retained.
Safe Mode Boot
Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.[1][2]
Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.[3]
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. Modify Registry). Malicious Component Object Model (COM) objects may also be registered and loaded in safe mode.[4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1562.009 | Safe Mode Boot Sub-technique | Safe Mode Boot revoked by this object. |
Groups, software, and campaigns
S1247: Embargo
Embargo is a ransomware variant written in Rust that has been active since at least May 2024.[1][2] Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.[1][2] Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts.[2] Embargo is also reportedly a Ransomware as a Service (RaaS).[2]
S1053: AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]
S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
S1070: Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[1][2][3][4][5][6]
S1242: Qilin
Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]
S1202: LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]
S1212: RansomHub
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 74eac635940d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Windows Startup Settings
Microsoft. (n.d.). Retrieved April 15, 2026.
Open source URL -
[2]
Sophos Safe Mode Boot
Andrew Brandt. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved April 15, 2026.
Open source URL -
[3]
Microsoft bcdedit
Microsoft. (n.d.). Retrieved April 15, 2026.
Open source URL -
[4]
CyberArk Labs Safe Mode 2016
Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.
Open source URL -
[5]
Cybereason safe mode boot
Cybereason Nocturnus. (n.d.). Cybereason vs. MedusaLocker Ransomware. Retrieved April 15, 2026.
Open source URL -
[6]
BleepingComputer REvil 2021
Abrams, L. (2021, March 19). REvil ransomware has a new ‘Windows Safe Mode’ encryption mode. Retrieved June 23, 2021.
Open source URL -
[7]
mitre-attack T1688Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.