IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Suspicious Remote Registry Access via SeBackupPrivilege
editSuspicious Remote Registry Access via SeBackupPrivilege
editIdentifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-system.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
- Credential Access
Version: 2 (version history)
Added (Elastic Stack release): 8.2.0
Last modified (Elastic Stack release): 8.3.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
edit## Config The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Object Access > Audit Detailed File Share (Success) ``` The 'Special Logon' audit policy must be configured (Success). Steps to implement the logging policy with with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Logon/Logoff > Special Logon (Success) ```
Rule query
editsequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [iam where event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Rule version history
edit- Version 2 (8.3.0 release)
-
- Formatting only