sigmamediumHunting

Enabling COR Profiler Environment Variables

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

MITRE ATT&CK

T1574.012

persistenceprivilege-escalationdefense-evasion

Detection Query

selection_1:
  TargetObject|endswith:
    - \COR_ENABLE_PROFILING
    - \COR_PROFILER
    - \CORECLR_ENABLE_PROFILING
selection_2:
  TargetObject|contains: \CORECLR_PROFILER_PATH
condition: 1 of selection_*

Author

Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)

Created

2020-09-10

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.persistenceattack.privilege-escalationattack.defense-evasionattack.t1574.012

Raw Content

title: Enabling COR Profiler Environment Variables
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
status: test
description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
references:
    - https://twitter.com/jamieantisocial/status/1304520651248668673
    - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
    - https://www.sans.org/cyber-security-summit/archives
    - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
date: 2020-09-10
modified: 2023-11-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.t1574.012
logsource:
    category: registry_set
    product: windows
detection:
    selection_1:
        TargetObject|endswith:
            - '\COR_ENABLE_PROFILING'
            - '\COR_PROFILER'
            - '\CORECLR_ENABLE_PROFILING'
    selection_2:
        TargetObject|contains: '\CORECLR_PROFILER_PATH'
    condition: 1 of selection_*
level: medium