Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1574.012: COR_PROFILER

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.[1][2]

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.[2]

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.[3][4][5][6][7]

EnterpriseT1574.012Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

COR_PROFILER abuse matters because a Windows .NET feature intended for profiling and debugging can be turned into an execution hijack point. If an attacker can set profiler-related environment variables or supporting registry/COM configuration, a DLL may load whenever .NET CLR processes start, creating persistence, stealthy execution, or execution in a higher-privileged .NET process context.

Executive priority

Treat this as a Windows endpoint and identity-control validation issue, not only a malware signature problem. Leaders should ask whether privileged accounts can modify relevant environment-variable or registry locations, whether application control limits unapproved DLL execution, and whether SOC telemetry can show profiler configuration changes and unexpected DLL loads in .NET processes. This is also useful audit evidence for least privilege, registry permission governance, and execution-prevention control maturity.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around Windows systems that run .NET Framework applications. ATT&CK provides no official detection text for this sub-technique, but relationship context includes DET0479 for detecting hijack execution flow using Windows COR_PROFILER. Practical validation should focus on changes to system/user COR_PROFILER-related environment variables, registry-backed environment settings, COM profiler registration, COR_PROFILER_PATH usage, and unexpected unmanaged DLL loads into .NET CLR processes. Because process-scoped COR_PROFILER can exist in memory without registry modification, registry monitoring alone is insufficient.

Likely telemetry

  • Windows registry modification events for user-wide and system-wide environment variables and COM profiler-related configuration
  • Process creation telemetry that includes command line, parent process, integrity context, and environment variables where available
  • Module/DLL load telemetry for .NET CLR processes, especially unmanaged profiler DLLs loaded from unusual paths
  • File creation or modification telemetry for DLLs referenced by COR_PROFILER_PATH or profiler registration
  • Account and privilege-change evidence relevant to users or processes able to modify registry/environment settings

Detection direction

  • Use DET0479 as the ATT&CK-linked detection strategy reference, then test it against local Windows and .NET telemetry sources.
  • Alert on new or modified COR_PROFILER and COR_PROFILER_PATH values at system, user, or process scope where observable.
  • Correlate profiler configuration with subsequent .NET process starts and DLL loads; the useful signal is often the combination of configuration change plus unexpected module load.
  • Baseline legitimate developer, monitoring, troubleshooting, or profiling tools to reduce false positives; COR_PROFILER is a legitimate .NET Framework feature.
  • Do not rely only on registry auditing because ATT&CK notes process-scoped COR_PROFILER can be created in memory without registry changes.

Mitigation priorities

  • Prioritize User Account Management: enforce least privilege so ordinary users and service accounts cannot broadly modify sensitive environment-variable or registry locations.
  • Restrict registry permissions on keys used for system/user environment variables and COM-related profiler registration so only authorized administrators or management tooling can change them.
  • Use execution prevention controls to limit unauthorized DLL execution, especially profiler DLLs from untrusted or user-writable paths.
  • Maintain an approved inventory of legitimate .NET profilers and troubleshooting tools so defenders can distinguish expected engineering activity from suspicious persistence.
  • Include COR_PROFILER checks in Windows endpoint hardening, incident response triage, and compliance evidence for privileged access, registry control, and application control.
Analyst notes and limits

ATT&CK classifies this as a Windows sub-technique under Hijack Execution Flow with stealth and execution tactics. Relationship context states Blue Mockingbird and DarkTortilla use this technique, and mitigations M1018, M1024, and M1038 apply. These relationships support defensive prioritization, but they do not by themselves prove current activity in any specific environment.

The official ATT&CK object does not provide detection text, so detection guidance is derived from the technique description, external references listed by ATT&CK, and the DET0479 relationship. Local validation is required to know whether process environment variables, module loads, registry changes, and application-control decisions are actually collected and retained.

Official MITRE ATT&CK definition

COR_PROFILER

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.[1][2]

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.[2]

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.[3][4][5][6][7]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1574 Hijack Execution Flow This object subtechnique of Hijack Execution Flow.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0108: Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise uses · Group G0108: Blue Mockingbird Enterprise uses · Malware S1066: DarkTortilla Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise detects · Detection Strategy DET0479: Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER. Enterprise subtechnique of · Technique T1574: Hijack Execution Flow Enterprise mitigates · Mitigation M1018: User Account Management Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
6f37870bdfb94f57...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 6f37870bdfb9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft Profiling Mar 2017

    Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.

    Open source URL
  2. [2]
    Microsoft COR_PROFILER Feb 2013

    Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.

    Open source URL
  3. [3]
    RedCanary Mockingbird May 2020

    Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.

    Open source URL
  4. [4]
    Red Canary COR_PROFILER May 2020

    Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.

    Open source URL
  5. [5]
    Almond COR_PROFILER Apr 2019

    Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.

    Open source URL
  6. [6]
    GitHub OmerYa Invisi-Shell

    Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.

    Open source URL
  7. [7]
    subTee .NET Profilers May 2017

    Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.

    Open source URL
  8. [8]
    mitre-attack T1574.012
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use