Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1319: Analytic 1319

Modification of COR_PROFILER-related environment variables or Registry keys (COR_ENABLE_PROFILING, COR_PROFILER, COR_PROFILER_PATH), combined with anomalous .NET process creation or unmanaged DLL loads. Defender observes registry modifications, suspicious process creation with altered environment variables, and profiler DLLs loaded unexpectedly into .NET CLR processes.

EnterpriseAN1319AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because changes to COR_PROFILER-related settings can cause profiler DLLs to be loaded into Windows .NET processes. From a business-risk perspective, that makes it a useful control point for detecting unexpected code loading in business applications, admin tools, or other .NET-dependent workflows. Leaders should treat this as a Windows endpoint visibility and change-control question: can the organization see who changed these environment variables or Registry keys, and can it identify .NET processes loading profiler DLLs unexpectedly?

Executive priority

Prioritize this where Windows and .NET applications support critical operations, privileged administration, or regulated business processes. The decision value is not that this analytic guarantees detection, but that it tests whether endpoint logging, process telemetry, DLL-load visibility, and Registry/environment-variable monitoring are mature enough to support incident response and audit evidence when unexpected runtime instrumentation occurs.

Technical view

Validate monitoring for modification of COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH in Windows environment variables and Registry locations, then correlate those changes with anomalous .NET process creation and unmanaged DLL loads into CLR processes. Because no tactic or relationship context is supplied, detection engineering should avoid over-scoping this to a specific ATT&CK tactic and instead focus on behavior correlation: configuration change plus unexpected .NET process behavior plus profiler DLL load.

Likely telemetry

  • Windows Registry modification events for COR_PROFILER-related keys or values
  • Environment variable change evidence for COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH
  • Process creation telemetry for Windows .NET processes
  • Process environment data where available
  • DLL/module load telemetry showing unmanaged profiler DLLs loaded into .NET CLR processes

Detection direction

  • Build correlation around COR_PROFILER-related configuration changes followed by .NET process creation or unexpected profiler DLL loads.
  • Baseline legitimate developer, monitoring, APM, diagnostic, or profiling tools that may set these variables or load profiler DLLs to reduce false positives.
  • Pay attention to unusual profiler DLL paths, unexpected parent processes, privileged user context, or changes on servers and endpoints where profiling is not normally used.
  • Validate whether endpoint tooling actually captures process environment variables and module loads; many environments collect process creation but not enough runtime load detail.
  • Because official detection logic is not provided, treat this as a detection design requirement rather than an out-of-the-box rule.

Mitigation priorities

  • Restrict who can modify relevant Registry locations and system/user environment variables on Windows systems.
  • Apply change control and alerting for profiler-related configuration changes on critical hosts.
  • Maintain allowlists or inventories of approved .NET profiling, diagnostics, and monitoring components.
  • Ensure endpoint logging and EDR policies capture Registry changes, process creation, and DLL/module loads needed for investigation.
  • Include this behavior in incident response playbooks for unexpected .NET runtime modification or suspicious DLL loading.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows focused on COR_PROFILER-related environment variables or Registry keys and unexpected profiler DLL loading into .NET CLR processes. There are no supplied relationships, tactics, aliases, or official detection implementation details, so local baselining is essential before operationalizing alerts.

This take is limited to the provided STIX fields and external reference. No active exploitation, actor attribution, affected products beyond Windows/.NET process context, or guaranteed detection coverage is implied. ATT&CK did not provide official detection logic for this analytic in the supplied fields.

Official MITRE ATT&CK definition

Analytic 1319

Modification of COR_PROFILER-related environment variables or Registry keys (COR_ENABLE_PROFILING, COR_PROFILER, COR_PROFILER_PATH), combined with anomalous .NET process creation or unmanaged DLL loads. Defender observes registry modifications, suspicious process creation with altered environment variables, and profiler DLLs loaded unexpectedly into .NET CLR processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5e57b4678362f994...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5e57b4678362…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1319
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use