This detection rule identifies suspicious remote access to the Windows registry using an account with Backup Operators group membership, indicated by the presence of the 'SeBackupPrivilege' privilege. This tactic is commonly employed in credential exfiltration attacks whereby attackers dump the Security Account Manager (SAM) hive, potentially to obtain sensitive credentials and escalate privileges. It highlights a risk scenario where an account leveraging this privilege accesses the registry, which may follow a special logon event. The rule uses a sequence based on the logged events from 'winlogbeat', tracking instances where a privileged user logs in with the 'SeBackupPrivilege' and follows up with registry access attempts, specifically event code 5145 targeting Windows registry files. Investigation steps include identifying the user responsible, checking for additional alerts or actions linked to that user, and verifying if the activity is recognized by the account owner. The false positive potential is acknowledged, allowing environment-specific tuning of the rule. In case of confirmed malicious activity, incident response recommendations stress account lockdown, log analysis, and broader security assessments to safeguard against further exploitation.