Elastic Security Detection Rules

Suspicious Remote Registry Access via SeBackupPrivilege

Last updated 9 days ago on 2025-01-22
Created 3 years ago on 2022-02-16

About

Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Lateral MovementTactic: Credential AccessUse Case: Active Directory MonitoringData Source: Active DirectoryData Source: SystemLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

OS Credential Dumping (T1003)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Remote Services (T1021)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
winlogbeat-*logs-system.*logs-windows.*
Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query
sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m
 [iam where event.action == "logged-in-special"  and
  winlog.event_data.PrivilegeList : "SeBackupPrivilege" and

  /* excluding accounts with existing privileged access */
  not winlog.event_data.PrivilegeList : "SeDebugPrivilege"]
 [any where event.code == "5145" and winlog.event_data.RelativeTargetName : "winreg"]

Install detection rules in Elastic Security

Detect Suspicious Remote Registry Access via SeBackupPrivilege in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).