Detection rules › Elastic
Suspicious Remote Registry Access via SeBackupPrivilege
Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping, T1003.002 OS Credential Dumping: Security Account Manager, T1003.004 OS Credential Dumping: LSA Secrets |
| Lateral Movement | T1021 Remote Services, T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4672 | Special privileges assigned to new logon. |
| Security-Auditing | 5145 | A network share object was checked to see whether client can be granted desired access. |
Stages and Predicates
Stage 1: eql:iam
not winlog.event_data.PrivilegeList:"SeDebugPrivilege" and event.action:"logged-in-special" and winlog.event_data.PrivilegeList:"SeBackupPrivilege"Stage 2: eql:any
winlog.event_data.RelativeTargetName:"winreg"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | PrivilegeList | eq | SeDebugPrivilege |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | eq |
|
winlog.event_data.PrivilegeList | wildcard |
|
winlog.event_data.RelativeTargetName | wildcard |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Startup/Logon Script added to Group Policy Object
- Scheduled Task Execution at Scale via GPO
- Persistence and Execution at Scale via GPO Scheduled Task
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Startup/Logon Script Added to Group Policy Object
- Windows AD Short Lived Server Object
- Windows Administrative Shares Accessed On Multiple Hosts