Skip to content

Hide Navigation Hide TOC

Add SafeBoot Keys Via Reg Utility (d7662ff6-9e97-4596-a61d-9839e32dee8d)

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Add SafeBoot Keys Via Reg Utility (d7662ff6-9e97-4596-a61d-9839e32dee8d) Sigma-Rules 1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2