T1574.012 IBM QRadar · QRadar

Detect COR_PROFILER in IBM QRadar

Adversaries abuse the .NET Common Language Runtime (CLR) profiling API via the COR_PROFILER and COR_ENABLE_PROFILING environment variables to load malicious DLLs into every .NET process. Setting COR_ENABLE_PROFILING=1 and COR_PROFILER={CLSID} causes any .NET application to load the registered COM profiler DLL. Starting with .NET 4.0, the COR_PROFILER_PATH variable can directly specify the DLL path without COM registration, enabling in-memory persistence. Blue Mockingbird used wmic.exe to set these registry variables system-wide, loading a malicious DLL into .NET processes. The Invisi-Shell tool uses this technique to bypass PowerShell logging. DarkTortilla malware checks for COR_ENABLE_PROFILING to detect sandbox analysis.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.012 COR_PROFILER
Canonical reference
https://attack.mitre.org/techniques/T1574/012/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS
high severity high confidence

QRadar AQL detection for COR_PROFILER. Detects COR_PROFILER abuse via two vectors: (1) registry modifications to environment keys setting COR_ENABLE_PROFILING, COR_PROFILER, or COR_PROFILER_PATH — enabling system-wide or user-level .NET pr

Data Sources

Sysmon Event ID 1Sysmon Event ID 11

Required Tables

events

False Positives & Tuning

  • Legitimate multi-stage installer processes that modify binaries during installation
  • Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
  • Self-updating applications modifying their own components
  • Antivirus software modifying installer files during remediation
Download portable Sigma rule (.yml)

Other platforms for T1574.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set COR_PROFILER via Registry to Malicious DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): three registry modifications to HKCU\Environment for COR_* values. reg.exe process creation events. The values persist until the cleanup command runs. Any .NET process launched in this user's session would attempt to load the (non-existent) profiler DLL.

  2. Test 2Set System-Wide COR_PROFILER via wmic (Blue Mockingbird Technique)

    Expected signal: wmic.exe process creation followed by cmd.exe processes setting registry values. Sysmon Event ID 13 for HKLM Environment key modifications. Sysmon Event ID 19/20/21 for WMI activity. Any new .NET process spawned after this would attempt to load the profiler DLL.

  3. Test 3Demonstrate COR_PROFILER Bypass of ScriptBlock Logging (Invisi-Shell)

    Expected signal: PowerShell process creation with COR_* variable names in command line or environment. Sysmon Event ID 1 captures the process creation. The environment variables are set only for this process's scope (not registry), so they don't persist.

Last updated: 2026-03-11 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.006Dynamic Linker HijackingT1055.001Dynamic-link Library InjectionT1562.001Disable or Modify ToolsT1134Access Token ManipulationT1548.002Bypass User Account ControlT1003OS Credential Dumping

Same Tactic: Persistence

Popular Detections