Registry-Free Process Scope COR_PROFILER

 1title: Registry-Free Process Scope COR_PROFILER
 2id: 23590215-4702-4a70-8805-8dc9e58314a2
 3status: test
 4description: |
 5    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
 6    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
 7    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
 8    (Citation: Microsoft Profiling Mar 2017)
 9    (Citation: Microsoft COR_PROFILER Feb 2013)    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
12author: frack113
13date: 2021-12-30
14tags:
15    - attack.privilege-escalation
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.t1574.012
19logsource:
20    product: windows
21    category: ps_script
22    definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24    selection:
25        ScriptBlockText|contains|all:
26            - '$env:COR_ENABLE_PROFILING'
27            - '$env:COR_PROFILER'
28            - '$env:COR_PROFILER_PATH'
29    condition: selection
30falsepositives:
31    - Legitimate administrative script
32level: medium