Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
AID2201032010.YAML
#####aid_begin
#description: fetch the information on bypassing uac mechanisms from user-accessible registry
#id: aid2201032010
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgregistry
#notes: |-
# adversaries may bypass uac mechanisms to elevate process privileges on system . there are many ways to perform uac bypasses, some uac bypass methods rely on modifying these user-accessible registry settings. some of these path's doesn’t exist by default, therefore it can be constructed manually to executed by adversary.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKCU\Software\Classes\ms-settings\Shell\Open\command"
- Get-BGRegistry -StartKey "HKCU\Software\Classes\mscfile\shell\open\command"
- Get-BGRegistry -StartKey "HKCU\Software\Classes\exefile\shell\runas\command\IsolatedCommand"
