Detectionmediumtest
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Jose Rodriguez, OTR (Open Threat Research), Jimmy BayneCreated Thu Sep 10Updated Fri Nov 24ad89044a-8f49-4673-9a55-cbd88a1b374fwindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection_1:
TargetObject|endswith:
- '\COR_ENABLE_PROFILING'
- '\COR_PROFILER'
- '\CORECLR_ENABLE_PROFILING'
selection_2:
TargetObject|contains: '\CORECLR_PROFILER_PATH'
condition: 1 of selection_*MITRE ATT&CK
Rule Metadata
Rule ID
ad89044a-8f49-4673-9a55-cbd88a1b374f
Status
test
Level
medium
Type
Detection
Created
Thu Sep 10
Modified
Fri Nov 24
Path
rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml
Raw Tags
attack.persistenceattack.privilege-escalationattack.defense-evasionattack.t1574.012