Esc

COR_PROFILER - T1574.012

(ATT&CK® Technique)

Definition

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1574012["COR_PROFILER"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1574012 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1574012 href "/offensive-technique/attack/T1574.012/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1574012["COR_PROFILER"] --> |adds| SharedLibraryFile["Shared Library File"]; class T1574012 OffensiveTechniqueNode;
        class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
        click T1574012 href "/offensive-technique/attack/T1574.012/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1574012["COR_PROFILER"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | SharedLibraryFile["Shared Library File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1574012["COR_PROFILER"] ;
          class FileEviction DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           FileEncryption["File Encryption"] -->
          | encrypts | SharedLibraryFile["Shared Library File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1574012["COR_PROFILER"] ;
          class FileEncryption DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              DecoyFile["Decoy File"] -->
          | spoofs | SharedLibraryFile["Shared Library File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1574012["COR_PROFILER"] ;
          class DecoyFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | SharedLibraryFile["Shared Library File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1574012["COR_PROFILER"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                                         RestoreFile["Restore File"] -->
          | restores | SharedLibraryFile["Shared Library File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1574012["COR_PROFILER"] ;
          class RestoreFile DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1574012["COR_PROFILER"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                           FileAnalysis["File Analysis"] -->
          | analyzes | SharedLibraryFile["Shared Library File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1574012["COR_PROFILER"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | SharedLibraryFile["Shared Library File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1574012["COR_PROFILER"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class SharedLibraryFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";

json