T1574.012 Splunk · SPL

Detect COR_PROFILER in Splunk

Adversaries abuse the .NET Common Language Runtime (CLR) profiling API via the COR_PROFILER and COR_ENABLE_PROFILING environment variables to load malicious DLLs into every .NET process. Setting COR_ENABLE_PROFILING=1 and COR_PROFILER={CLSID} causes any .NET application to load the registered COM profiler DLL. Starting with .NET 4.0, the COR_PROFILER_PATH variable can directly specify the DLL path without COM registration, enabling in-memory persistence. Blue Mockingbird used wmic.exe to set these registry variables system-wide, loading a malicious DLL into .NET processes. The Invisi-Shell tool uses this technique to bypass PowerShell logging. DarkTortilla malware checks for COR_ENABLE_PROFILING to detect sandbox analysis.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.012 COR_PROFILER
Canonical reference
https://attack.mitre.org/techniques/T1574/012/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval event_type=case(
    EventCode=13, "registry",
    EventCode=1, "process",
    true(), "other")
| where event_type in ("registry", "process")
| eval CORMatch=if(
    (event_type="registry" AND match(TargetObject, "COR_(ENABLE_PROFILING|PROFILER|PROFILER_PATH)")) OR
    (event_type="process" AND match(CommandLine, "COR_(ENABLE_PROFILING|PROFILER|PROFILER_PATH)")),
    1, 0)
| where CORMatch=1
| eval IsSystemScope=if(
    event_type="registry" AND match(TargetObject, "HKLM"),
    "SYSTEM_WIDE", "USER_SCOPE")
| table _time, host, User, event_type, coalesce(TargetObject, Image), coalesce(Details, CommandLine), IsSystemScope
| sort - _time
high severity high confidence

Detects COR_PROFILER manipulation via registry (Sysmon EventCode 13) and process command line (EventCode 1). Distinguishes system-wide injection (HKLM registry) from user-scope (HKCU), as HKLM modifications affect all .NET processes on the system and represent a higher-severity finding. wmic.exe setting these values (as seen in Blue Mockingbird) is particularly suspicious.

Data Sources

Windows Registry: Registry Key ModificationProcess: Process CreationSysmon Event ID 13Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • APM tools (Dynatrace, New Relic, Datadog) that inject .NET agents via COR_PROFILER in production
  • Development profilers (JetBrains, Visual Studio) setting COR_PROFILER in development environments
  • CI/CD code coverage agents using COR_PROFILER for test instrumentation
  • Some security tools that monitor .NET execution via profiler hooks
Download portable Sigma rule (.yml)

Other platforms for T1574.012

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set COR_PROFILER via Registry to Malicious DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): three registry modifications to HKCU\Environment for COR_* values. reg.exe process creation events. The values persist until the cleanup command runs. Any .NET process launched in this user's session would attempt to load the (non-existent) profiler DLL.

  2. Test 2Set System-Wide COR_PROFILER via wmic (Blue Mockingbird Technique)

    Expected signal: wmic.exe process creation followed by cmd.exe processes setting registry values. Sysmon Event ID 13 for HKLM Environment key modifications. Sysmon Event ID 19/20/21 for WMI activity. Any new .NET process spawned after this would attempt to load the profiler DLL.

  3. Test 3Demonstrate COR_PROFILER Bypass of ScriptBlock Logging (Invisi-Shell)

    Expected signal: PowerShell process creation with COR_* variable names in command line or environment. Sysmon Event ID 1 captures the process creation. The environment variables are set only for this process's scope (not registry), so they don't persist.

Last updated: 2026-03-11 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.006Dynamic Linker HijackingT1055.001Dynamic-link Library InjectionT1562.001Disable or Modify ToolsT1134Access Token ManipulationT1548.002Bypass User Account ControlT1003OS Credential Dumping

Same Tactic: Persistence

Popular Detections