Modification of COR_PROFILER-related environment variables or Registry keys (COR_ENABLE_PROFILING, COR_PROFILER, COR_PROFILER_PATH), combined with anomalous .NET process creation or unmanaged DLL loads. Defender observes registry modifications, suspicious process creation with altered environment variables, and profiler DLLs loaded unexpectedly into .NET CLR processes.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| AllowedProfilers | List of known good COR_PROFILER CLSIDs and DLLs expected in developer or monitoring environments. |
| ProcessScope | Processes expected to load COR_PROFILER (e.g., Visual Studio) for baseline comparison. |
| TimeWindow | Interval between registry modification or file creation and profiler DLL load into .NET processes. |
| ProfilerDllPaths | Directories considered legitimate for profiler DLLs; deviations should raise alerts. |