Registry-Free Process Scope COR_PROFILERJan 27, 2023 · attack.persistence attack.t1574.012 ·
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
Enabling COR Profiler Environment VariablesOct 26, 2022 · attack.persistence attack.privilege_escalation attack.defense_evasion attack.t1574.012 ·
This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.