Detect COR_PROFILER in Google Chronicle
Adversaries abuse the .NET Common Language Runtime (CLR) profiling API via the COR_PROFILER and COR_ENABLE_PROFILING environment variables to load malicious DLLs into every .NET process. Setting COR_ENABLE_PROFILING=1 and COR_PROFILER={CLSID} causes any .NET application to load the registered COM profiler DLL. Starting with .NET 4.0, the COR_PROFILER_PATH variable can directly specify the DLL path without COM registration, enabling in-memory persistence. Blue Mockingbird used wmic.exe to set these registry variables system-wide, loading a malicious DLL into .NET processes. The Invisi-Shell tool uses this technique to bypass PowerShell logging. DarkTortilla malware checks for COR_ENABLE_PROFILING to detect sandbox analysis.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.012 COR_PROFILER
- Canonical reference
- https://attack.mitre.org/techniques/T1574/012/
YARA-L Detection Query
rule T1574_012_hijack_execution {
meta:
author = "Detection Engineering"
description = "Detects execution flow hijacking via installer or DLL path manipulation"
severity = "high"
confidence = "high"
mitre_attack = "T1574.012"
reference = "https://attack.mitre.org/techniques/T1574/012/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
)
not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
not $e.principal.user.user_display_name = "SYSTEM"
condition:
$e
}Google Chronicle YARA-L 2.0 detection for COR_PROFILER. Detects COR_PROFILER abuse via two vectors: (1) registry modifications to environment keys setting COR_ENABLE_PROFILING, COR_PROFILER, or COR_PROFILER_PATH — enabling system-wide or user-level .NET pr
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation phases
- Enterprise software deployment tools staging installer components in temp directories
- Self-updating applications that download and replace their own binaries
- Archive utilities that extract executables to temp before running them
Other platforms for T1574.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set COR_PROFILER via Registry to Malicious DLL
Expected signal: Sysmon Event ID 13 (Registry Value Set): three registry modifications to HKCU\Environment for COR_* values. reg.exe process creation events. The values persist until the cleanup command runs. Any .NET process launched in this user's session would attempt to load the (non-existent) profiler DLL.
- Test 2Set System-Wide COR_PROFILER via wmic (Blue Mockingbird Technique)
Expected signal: wmic.exe process creation followed by cmd.exe processes setting registry values. Sysmon Event ID 13 for HKLM Environment key modifications. Sysmon Event ID 19/20/21 for WMI activity. Any new .NET process spawned after this would attempt to load the profiler DLL.
- Test 3Demonstrate COR_PROFILER Bypass of ScriptBlock Logging (Invisi-Shell)
Expected signal: PowerShell process creation with COR_* variable names in command line or environment. Sysmon Event ID 1 captures the process creation. The environment variables are set only for this process's scope (not registry), so they don't persist.
References (6)
- https://attack.mitre.org/techniques/T1574/012/
- https://redcanary.com/blog/cor_profiler-for-persistence/
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
- https://github.com/OmerYa/Invisi-Shell
- https://offsec.almond.consulting/UAC-bypass-dotnet.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md
Unlock Pro Content
Get the full detection package for T1574.012 including response playbook, investigation guide, and atomic red team tests.