This detection rule identifies modifications to Windows Safe Mode registry keys, particularly for "Minimal" and "Network" SafeBoot levels. It utilizes registry event logs from endpoint sources like Sysmon (Event ID 12 and 13) to monitor changes to critical registry paths. Such modifications could indicate a malicious attempt to maintain persistence while rebooted in Safe Mode, a state which can restrict some security measures. If attackers modify these keys, they could ensure their drivers or services load during Safe Mode, effectively circumventing detection and enabling further exploitation. The rule alerts if suspicious changes are detected, prompting security teams to investigate potential threats.