Skip to content

Hide Navigation Hide TOC

Add SafeBoot Keys Via Reg Utility (d7662ff6-9e97-4596-a61d-9839e32dee8d)

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Cluster A Galaxy A Cluster B Galaxy B Level
Add SafeBoot Keys Via Reg Utility (d7662ff6-9e97-4596-a61d-9839e32dee8d) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2