Skip to content


Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.12

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.2

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.34567

Item Value
ID T1574.012
Sub-techniques T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013
Tactics TA0003, TA0004, TA0005
Platforms Windows
Permissions required Administrator, User
Version 1.0
Created 24 June 2020
Last Modified 30 August 2021

Procedure Examples

ID Name Description
G0108 Blue Mockingbird Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.3
S1066 DarkTortilla DarkTortilla can detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.11


ID Mitigation Description
M1038 Execution Prevention Identify and block potentially malicious unmanaged COR_PROFILER profiling DLLs by using application control solutions like AppLocker that are capable of auditing and/or blocking unapproved DLLs.8910
M1024 Restrict Registry Permissions Ensure proper permissions are set for Registry hives to prevent users from modifying keys associated with COR_PROFILER.
M1018 User Account Management Limit the privileges of user accounts so that only authorized administrators can edit system environment variables.


ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Modification