MITRE ATT&CK Technique
Description
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-06-24T22:30:55.843Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may leverage the COR_PROFILER environment '
'variable to hijack the execution flow of programs that load '
'the .NET CLR. The COR_PROFILER is a .NET Framework feature '
'which allows developers to specify an unmanaged (or external '
'of .NET) profiling DLL to be loaded into each .NET process '
'that loads the Common Language Runtime (CLR). These profilers '
'are designed to monitor, troubleshoot, and debug managed code '
'executed by the .NET CLR.(Citation: Microsoft Profiling Mar '
'2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n'
'\n'
'The COR_PROFILER environment variable can be set at various '
'scopes (system, user, or process) resulting in different '
'levels of influence. System and user-wide environment '
'variable scopes are specified in the Registry, where a '
'[Component Object '
'Model](https://attack.mitre.org/techniques/T1559/001) (COM) '
'object can be registered as a profiler DLL. A process scope '
'COR_PROFILER can also be created in-memory without modifying '
'the Registry. Starting with .NET Framework 4, the profiling '
'DLL does not need to be registered as long as the location of '
'the DLL is specified in the COR_PROFILER_PATH environment '
'variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n'
'\n'
'Adversaries may abuse COR_PROFILER to establish persistence '
'that executes a malicious DLL in the context of all .NET '
'processes every time the CLR is invoked. The COR_PROFILER can '
'also be used to elevate privileges (ex: [Bypass User Account '
'Control](https://attack.mitre.org/techniques/T1548/002)) if '
'the victim .NET process executes at a higher permission '
'level, as well as to hook and [Impair '
'Defenses](https://attack.mitre.org/techniques/T1562) provided '
'by .NET processes.(Citation: RedCanary Mockingbird May '
'2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: '
'Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa '
'Invisi-Shell)(Citation: subTee .NET Profilers May 2017)',
'external_references': [{'external_id': 'T1574.012',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1574/012'},
{'description': 'Microsoft. (2017, March 30). '
'Profiling Overview. Retrieved June '
'24, 2020.',
'source_name': 'Microsoft Profiling Mar 2017',
'url': 'https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview'},
{'description': 'Microsoft. (2013, February 4). '
'Registry-Free Profiler Startup and '
'Attach. Retrieved June 24, 2020.',
'source_name': 'Microsoft COR_PROFILER Feb 2013',
'url': 'https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)'},
{'description': 'Lambert, T. (2020, May 7). '
'Introducing Blue Mockingbird. '
'Retrieved May 26, 2020.',
'source_name': 'RedCanary Mockingbird May 2020',
'url': 'https://redcanary.com/blog/blue-mockingbird-cryptominer/'},
{'description': 'Brown, J. (2020, May 7). Detecting '
'COR_PROFILER manipulation for '
'persistence. Retrieved June 24, '
'2020.',
'source_name': 'Red Canary COR_PROFILER May 2020',
'url': 'https://redcanary.com/blog/cor_profiler-for-persistence/'},
{'description': 'Almond. (2019, April 30). UAC bypass '
'via elevated .NET applications. '
'Retrieved June 24, 2020.',
'source_name': 'Almond COR_PROFILER Apr 2019',
'url': 'https://offsec.almond.consulting/UAC-bypass-dotnet.html'},
{'description': 'Yair, O. (2019, August 19). '
'Invisi-Shell. Retrieved June 24, '
'2020.',
'source_name': 'GitHub OmerYa Invisi-Shell',
'url': 'https://github.com/OmerYa/Invisi-Shell'},
{'description': 'Smith, C. (2017, May 18). Subvert '
'CLR Process Listing With .NET '
'Profilers. Retrieved June 24, 2020.',
'source_name': 'subTee .NET Profilers May 2017',
'url': 'https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html'}],
'id': 'attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:40.510Z',
'name': 'COR_PROFILER',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jesse Brown, Red Canary'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}