Skip to content

DET0479 Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.

Item Value
ID DET0479
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.012 (COR_PROFILER)

Analytics

Windows

AN1319

Modification of COR_PROFILER-related environment variables or Registry keys (COR_ENABLE_PROFILING, COR_PROFILER, COR_PROFILER_PATH), combined with anomalous .NET process creation or unmanaged DLL loads. Defender observes registry modifications, suspicious process creation with altered environment variables, and profiler DLLs loaded unexpectedly into .NET CLR processes.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
AllowedProfilers List of known good COR_PROFILER CLSIDs and DLLs expected in developer or monitoring environments.
ProcessScope Processes expected to load COR_PROFILER (e.g., Visual Studio) for baseline comparison.
TimeWindow Interval between registry modification or file creation and profiler DLL load into .NET processes.
ProfilerDllPaths Directories considered legitimate for profiler DLLs; deviations should raise alerts.