COR_PROFILER
COR_PROFILER [T1574.012]
Information
Name: COR_PROFILER
ID: T1574.012
Technique: T1574
Introduction
COR_PROFILER (T1574.012) is a sub-technique of the MITRE ATT&CK framework under the "Hijack Execution Flow" technique (T1574). Attackers leverage the COR_PROFILER environment variable to redirect the execution flow of legitimate Windows processes by loading malicious DLLs. This approach exploits the Common Language Runtime (CLR) profiling mechanism, allowing adversaries to execute arbitrary code within the context of legitimate programs, thereby achieving persistence, privilege escalation, or stealthy execution.
Deep Dive Into Technique
The COR_PROFILER environment variable is part of Microsoft's .NET Framework profiling API, designed for developers to monitor and analyze .NET applications. Legitimate profilers use this environment variable to specify a CLSID (Class ID) corresponding to a COM object implementing the ICorProfilerCallback interface. Attackers exploit this mechanism by:
Setting the COR_ENABLE_PROFILING environment variable to "1" to activate profiling.
Defining the COR_PROFILER environment variable with a malicious CLSID.
Registering a malicious DLL in the Windows Registry corresponding to the CLSID specified, typically under the key:
Upon execution, the .NET runtime loads the malicious DLL and executes attacker-defined code within the context of the targeted .NET application.
Technical details and execution specifics include:
Attackers often target processes with high privileges or those commonly executed, such as IIS web servers, PowerShell, or other .NET-based services.
Malicious DLLs loaded via COR_PROFILER typically implement methods defined by ICorProfilerCallback to execute attacker-controlled code at runtime.
The technique does not require modification of existing binaries, making detection more challenging.
Attackers may use scripting tools or manual registry edits to configure the necessary environment variables and registry keys.
When this Technique is Usually Used
Attackers typically leverage the COR_PROFILER sub-technique in various attack stages and scenarios, including:
Persistence: Ensuring malicious code execution persists across system reboots or application restarts by embedding DLL references into commonly executed processes.
Privilege Escalation: Targeting processes that run with elevated privileges to execute malicious code with higher rights.
Defense Evasion: Hijacking legitimate processes to blend malicious activity with normal system operations, thereby evading detection by traditional antivirus or endpoint detection solutions.
Lateral Movement: Exploiting .NET-based services accessible across networked systems to propagate malicious code and establish footholds on additional systems.
Credential Access: Injecting code into processes handling sensitive information, such as web servers or authentication services, to capture credentials or sensitive data.
How this Technique is Usually Detected
Detection of the COR_PROFILER sub-technique involves a combination of monitoring, auditing, and endpoint detection strategies, including:
Registry Monitoring:
Monitoring changes to registry keys related to CLSIDs, specifically:
Detecting unusual or unauthorized additions or modifications to these registry locations.
Environment Variable Monitoring:
Auditing the creation or modification of environment variables COR_ENABLE_PROFILING and COR_PROFILER.
Identifying these variables set in unexpected contexts, such as user sessions or system-wide configurations.
Process Monitoring and Logging:
Using Sysmon or similar tools to detect processes loading unexpected DLLs.
Reviewing logs for DLL injection events, particularly those involving suspicious DLL paths or filenames.
Endpoint Detection and Response (EDR) Solutions:
Leveraging advanced EDR tools capable of detecting suspicious DLL loads, unusual profiler registrations, and abnormal CLR behavior.
Utilizing behavior-based detections that identify runtime profiling activities in environments where profiling is uncommon or unauthorized.
Indicators of Compromise (IoCs):
Suspicious DLL files located in unusual directories (e.g., temporary folders, user directories).
Unexpected CLSIDs registered in the registry pointing to unknown or unsigned DLL files.
Unusual processes or services invoking .NET profiling APIs without known legitimate use cases.
Why it is Important to Detect This Technique
Detecting the COR_PROFILER sub-technique is critical due to its potential impacts and associated risks, including:
Stealthy Persistence: Allows attackers to maintain long-term, stealthy access to compromised systems by embedding malicious code within legitimate processes.
Privilege Escalation: Enables malicious code execution with elevated privileges, potentially leading to full system compromise and control.
Credential Theft and Data Exfiltration: Attackers may inject code into sensitive processes to capture and exfiltrate critical credentials, sensitive user data, or proprietary information.
Defense Evasion: Hijacking legitimate processes can bypass traditional antivirus and endpoint security solutions, complicating detection and remediation efforts.
Operational Impact: Compromise of critical .NET-based services or applications can lead to service disruption, data corruption, or unauthorized access to sensitive business assets.
Early detection significantly reduces the potential damage and limits the adversary's ability to escalate privileges, persist, and move laterally within the network.
Examples
Real-world examples and scenarios involving the COR_PROFILER sub-technique include:
Operation Cobalt Kitty (APT32):
Attackers leveraged the COR_PROFILER environment variable to load malicious DLLs into legitimate .NET applications.
Enabled persistent access and stealthy execution of malware within compromised environments.
Impact: Long-term espionage activity, data exfiltration, and credential theft.
PowerShell Profiling Hijack:
Attackers configured COR_PROFILER and COR_ENABLE_PROFILING environment variables targeting PowerShell processes.
Malicious DLLs were loaded into PowerShell runtime, executing attacker-controlled scripts and commands.
Impact: Credential harvesting, lateral movement, and persistent command-and-control communication.
IIS Web Server Compromise:
Attackers set COR_PROFILER variables to inject malicious profiling DLLs into IIS worker processes (w3wp.exe).
Enabled interception of web requests, credential theft, and manipulation of web application behavior.
Impact: Sensitive data exfiltration, unauthorized access, and potential service disruption.
Red Team Toolkits:
Offensive security tools such as "CLRvoyance" and custom red-team frameworks have demonstrated the use of COR_PROFILER hijacking to execute arbitrary payloads for persistence and defense evasion.
Impact: Demonstrated real-world feasibility, highlighting the criticality of detection and prevention measures.
Last updated
Was this helpful?