Suspicious Remote Registry Access via SeBackupPrivilegeedit

Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Lateral Movement
  • Credential Access

Version: 1

Added (Elastic Stack release): 8.2.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

## Config

The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Object Access >
Audit Detailed File Share (Success)
```

The 'Special Logon' audit policy must be configured (Success).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Logon/Logoff >
Special Logon (Success)
```

Rule queryedit

sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
[iam where event.action == "logged-in-special" and
winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where
event.action == "Detailed File Share" and
winlog.event_data.RelativeTargetName : "winreg"]

Threat mappingedit

Framework: MITRE ATT&CKTM