Ransomware we’ve recently analysed uses the following command to pop your machine into Safe Mode before performing encryption
C:\Windows\System32\bcdedit.exe /set safeboot networkWhy? Because your EDR/AV might not be allowed to run in Windows Safe Mode
Monitor for that command, filter out the applications that do it legitimately (there’s alllways one).
This technique is used late in the kill chain, so make sure you respond quickly…
https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/