diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 857095612..59ad39288 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -35,7 +35,8 @@
         "TargetImage": "keyword",
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
-        "TargetSid": "keyword"
+        "TargetSid": "keyword", 
+	"PrivilegeList": "keyword"
       }
     },
     "winlog.logon.type": "keyword",
diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
new file mode 100644
index 000000000..bacd4eae5
--- /dev/null
+++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
@@ -0,0 +1,94 @@
+[metadata]
+creation_date = "2022/02/16"
+maturity = "production"
+updated_date = "2022/02/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies remote access to the registry via an account with Backup Operators group membership. This may indicate an
+attempt to exfiltrate credentials via dumping the SAM registry hive in preparation for credential access and privileges
+elevation.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Remote Registry Access via SeBackupPrivilege"
+note = """## Config
+
+The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+Audit Detailed File Share (Success)
+```
+
+The 'Special Logon' audit policy must be configured (Success).
+Steps to implement the logging policy with with Advanced Audit Configuration:
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Logon/Logoff >
+Special Logon (Success)
+```
+"""
+references = [
+    "https://github.com/mpgn/BackupOperatorToDA",
+    "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp",
+]
+risk_score = 47
+rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
+ [iam where event.action == "logged-in-special"  and
+  winlog.event_data.PrivilegeList : "SeBackupPrivilege"]
+ [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "OS Credential Dumping"
+id = "T1003"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+name = "Security Account Manager"
+id = "T1003.002"
+reference = "https://attack.mitre.org/techniques/T1003/002/"
+
+
+
+[rule.threat.tactic]
+name = "Credential Access"
+id = "TA0006"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+name = "Remote Services"
+id = "T1021"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+name = "Lateral Movement"
+id = "TA0008"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+