The exhibit shows a PowerShell script that modifies registry keys under:
HKCU:\Software\Classes\Folder\shell\open\command
This technique is commonly associated with aUAC (User Account Control) bypass. Specifically:
It creates a new custom shell command path for opening folders.
The key registry property"DelegateExecute"is set, which is a known bypass method. If set without a value, it may cause Windows to run commands with elevated privileges without showing the UAC prompt.
The use ofHKCU(HKEY_CURRENT_USER) rather thanHKLM(HKEY_LOCAL_MACHINE) allows the attacker to bypass permissions since HKCU is writable by the current user. This registry hijack can be leveraged by a malicious actor to execute arbitrary commands with elevated rights.
This is identified in the Cisco CyberOps study material under “UAC bypass techniques,” which describes:
“Attackers often create or modify registry keys like DelegateExecute to hijack the default behavior of applications and elevate privileges”.
Thus, option B is correct: the exhibit demonstrates a UAC bypass using user-accessible registry modification.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit