T1574.012 CrowdStrike LogScale · LogScale

Detect COR_PROFILER in CrowdStrike LogScale

Adversaries abuse the .NET Common Language Runtime (CLR) profiling API via the COR_PROFILER and COR_ENABLE_PROFILING environment variables to load malicious DLLs into every .NET process. Setting COR_ENABLE_PROFILING=1 and COR_PROFILER={CLSID} causes any .NET application to load the registered COM profiler DLL. Starting with .NET 4.0, the COR_PROFILER_PATH variable can directly specify the DLL path without COM registration, enabling in-memory persistence. Blue Mockingbird used wmic.exe to set these registry variables system-wide, loading a malicious DLL into .NET processes. The Invisi-Shell tool uses this technique to bypass PowerShell logging. DarkTortilla malware checks for COR_ENABLE_PROFILING to detect sandbox analysis.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.012 COR_PROFILER
Canonical reference
https://attack.mitre.org/techniques/T1574/012/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
    ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)
high severity high confidence

CrowdStrike LogScale (Falcon) CQL detection for COR_PROFILER. Detects COR_PROFILER abuse via two vectors: (1) registry modifications to environment keys setting COR_ENABLE_PROFILING, COR_PROFILER, or COR_PROFILER_PATH — enabling system-wide or user-level .NET pr

Data Sources

CrowdStrike Falcon Endpoint ProtectionProcess events

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Legitimate enterprise installers that update extracted binaries during installation
  • Software deployment tools (SCCM, Intune) staging and modifying installers in temp
  • Self-patching applications that download and replace their own components
  • Automated software update mechanisms that modify binaries before execution
Download portable Sigma rule (.yml)

Other platforms for T1574.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set COR_PROFILER via Registry to Malicious DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): three registry modifications to HKCU\Environment for COR_* values. reg.exe process creation events. The values persist until the cleanup command runs. Any .NET process launched in this user's session would attempt to load the (non-existent) profiler DLL.

  2. Test 2Set System-Wide COR_PROFILER via wmic (Blue Mockingbird Technique)

    Expected signal: wmic.exe process creation followed by cmd.exe processes setting registry values. Sysmon Event ID 13 for HKLM Environment key modifications. Sysmon Event ID 19/20/21 for WMI activity. Any new .NET process spawned after this would attempt to load the profiler DLL.

  3. Test 3Demonstrate COR_PROFILER Bypass of ScriptBlock Logging (Invisi-Shell)

    Expected signal: PowerShell process creation with COR_* variable names in command line or environment. Sysmon Event ID 1 captures the process creation. The environment variables are set only for this process's scope (not registry), so they don't persist.

Last updated: 2026-03-11 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.006Dynamic Linker HijackingT1055.001Dynamic-link Library InjectionT1562.001Disable or Modify ToolsT1134Access Token ManipulationT1548.002Bypass User Account ControlT1003OS Credential Dumping

Same Tactic: Persistence

Popular Detections