attack.t1574.012 | Detection.FYI

Enabling COR Profiler Environment Variables

Apr 28, 2026 · attack.persistence attack.privilege-escalation attack.execution attack.stealth attack.t1574.012 ·
Share on:

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More
Registry-Free Process Scope COR_PROFILER

Apr 28, 2026 · attack.privilege-escalation attack.persistence attack.execution attack.stealth attack.t1574.012 ·
Share on:

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Read More