This analytic rule is designed to detect suspicious executions of the `bcdedit` command that configure a Windows host to boot into safe mode with network support. By leveraging data from Endpoint Detection and Response (EDR) agents, it identifies command-line activity related to `bcdedit.exe` that matches specific parameters indicative of malicious behavior. This technique is particularly significant as it has been associated with BlackMatter ransomware, which utilizes safe mode to evade security controls and continue encryption activities on compromised systems. The detection focuses on command-line patterns related to safe mode configurations, enabling security teams to respond to potential ransomware incidents.