title: COR_PROFILER (T1574.012)
id: df00tech-t1574-012
status: experimental
description: "Adversaries abuse the .NET Common Language Runtime (CLR) profiling API via the COR_PROFILER and COR_ENABLE_PROFILING environment variables to load malicious DLLs into every .NET process. Setting COR_ENABLE_PROFILING=1 and COR_PROFILER={CLSID} causes any .NET application to load the registered COM profiler DLL. Starting with .NET 4.0, the COR_PROFILER_PATH variable can directly specify the DLL path without COM registration, enabling in-memory persistence. Blue Mockingbird used wmic.exe to set these registry variables system-wide, loading a malicious DLL into .NET processes. The Invisi-Shell tool uses this technique to bypass PowerShell logging. DarkTortilla malware checks for COR_ENABLE_PROFILING to detect sandbox analysis."
references:
  - https://attack.mitre.org/techniques/T1574/012/
  - https://df00tech.com/detections/T1574.012
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate .NET profiling tools (dotMemory, dotTrace, JetBrains Rider) that set COR_PROFILER during development sessions"
  - "Performance monitoring platforms (Dynatrace, New Relic, AppDynamics) that inject .NET agents via COR_PROFILER"
  - "Code coverage tools (OpenCover, Coverlet) used in CI/CD pipelines that use COR_PROFILER for instrumentation"
  - Visual Studio diagnostic and performance profiling sessions
level: high