Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Sigma rule (View on GitHub)
1title: Enabling COR Profiler Environment Variables
2id: ad89044a-8f49-4673-9a55-cbd88a1b374f
3status: test
4description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
5references:
6 - https://twitter.com/jamieantisocial/status/1304520651248668673
7 - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
8 - https://www.sans.org/cyber-security-summit/archives
9 - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
10author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
11date: 2020-09-10
12modified: 2023-11-24
13tags:
14 - attack.persistence
15 - attack.privilege-escalation
16 - attack.defense-evasion
17 - attack.t1574.012
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection_1:
23 TargetObject|endswith:
24 - '\COR_ENABLE_PROFILING'
25 - '\COR_PROFILER'
26 - '\CORECLR_ENABLE_PROFILING'
27 selection_2:
28 TargetObject|contains: '\CORECLR_PROFILER_PATH'
29 condition: 1 of selection_*
30level: medium
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow