Enabling COR Profiler Environment Variables

Severity: medium
Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
Source: upstream

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1574.012` Hijack Execution Flow: COR_PROFILER
Privilege Escalation	`T1574.012` Hijack Execution Flow: COR_PROFILER
Defense Evasion	`T1574.012` Hijack Execution Flow: COR_PROFILER

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `1 of selection_1`

or:
TargetObject|endswith: '\CORECLR_ENABLE_PROFILING'
TargetObject|endswith: '\COR_ENABLE_PROFILING'
TargetObject|endswith: '\COR_PROFILER'

Stage 2: `1 of selection_2`

TargetObject|contains: '\CORECLR_PROFILER_PATH'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetObject`	ends_with	`\CORECLR_ENABLE_PROFILING` `\COR_ENABLE_PROFILING` `\COR_PROFILER`
`TargetObject`	match	`\CORECLR_PROFILER_PATH`