This rule detects modifications to the Windows registry that enable a driver or service to be loaded in Safe Mode, a common tactic used by malware to ensure persistence and conduct malicious activities when system defenses may be less robust. The focus is primarily on the registry keys associated with Safe Boot configurations located in \Control\SafeBoot\Minimal\ and \Control\SafeBoot\Network\. The detection logic involves monitoring for changes to registry values that may indicate a new service is being set to persist in both modes of Safe Boot, either with or without network access. The rule requires specific condition checks on the target object’s name and structure while excluding known benign processes to minimize false positives. The targeted services often manipulate these registry settings to maintain their presence on a system during security engagements or recovery operations, allowing them to evade normal elimination methods utilized by security solutions. If any modifications to the specified registry paths match the criteria of the selection but do not fall under the conditions specified in the filter, an alert will be triggered, signaling a possible attempt at establishing persistence.