300-215 Exam Dumps : Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

TheCisco Secure Firewall Threat Defense (Firepower)includes advanced capabilities such as intrusion prevention, URL filtering, and deep packet inspection. According to the CyberOps guide, it can detect and block C2 communications by analyzing traffic patterns and comparing them to threat intelligence data. The guide specifically states: "Advanced solutions such as Firepower provide detection capabilities for command and control (C2) traffic by identifying unusual outbound connections and behavioral anomalies".

The exhibit shows a PowerShell script that modifies registry keys under:

HKCU:\Software\Classes\Folder\shell\open\command

This technique is commonly associated with aUAC (User Account Control) bypass. Specifically:

It creates a new custom shell command path for opening folders.

The key registry property"DelegateExecute"is set, which is a known bypass method. If set without a value, it may cause Windows to run commands with elevated privileges without showing the UAC prompt.

The use ofHKCU(HKEY_CURRENT_USER) rather thanHKLM(HKEY_LOCAL_MACHINE) allows the attacker to bypass permissions since HKCU is writable by the current user. This registry hijack can be leveraged by a malicious actor to execute arbitrary commands with elevated rights.

This is identified in the Cisco CyberOps study material under “UAC bypass techniques,” which describes:

“Attackers often create or modify registry keys like DelegateExecute to hijack the default behavior of applications and elevate privileges”.

Thus, option B is correct: the exhibit demonstrates a UAC bypass using user-accessible registry modification.

The command in the image usesschtasks /createwith theONLOGONschedule andSystemuser context to executetest.exe. This is a well-documented persistence technique, where an attacker ensures that a malicious executable is launched automatically at each system logon. This kind of scheduled task creation aligns with persistence techniques in the MITRE ATT&CK framework (T1053).

—