Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Переменная окружения COR_PROFILER
Каталоги
MITRE ATT@CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Переменная окружения COR_PROFI...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Hijack Execution Flow:  Переменная окружения COR_PROFILER

ID Название
.001 Перехват поиска DLL-библиотек
.002 Загрузка сторонних DLL-библиотек
.004 Перехват поиска dylib-библиотек
.005 Недостатки разрешений для исполняемых файлов установщика
.006 Переменная окружения LD_PRELOAD
.007 Изменение переменной окружения PATH
.008 Перехват поиска программ
.009 Перехват поиска через не заключенный в кавычки путь
.010 Недостатки разрешений для файлов служб
.011 Недостатки разрешений для реестра служб
.012 Переменная окружения COR_PROFILER
.013 Злоупотребление процессом KernelCallbackTable

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a Component Object Model (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: Bypass User Account Control) if the victim .NET process executes at a higher permission level, as well as to hook and Impair Defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)

ID: T1574.012
Относится к технике:  T1574
Тактика(-и): Defense Evasion, Persistence, Privilege Escalation
Платформы: Windows
Требуемые разрешения: Administrator, User
Источники данных: Command: Command Execution, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification
Версия: 1.0
Дата создания: 24 Jun 2020
Последнее изменение: 30 Aug 2021

Примеры процедур
Название Описание
Blue Mockingbird

Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)

Контрмеры
Контрмера Описание
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Обнаружение

For detecting system and user scope abuse of the COR_PROFILER, monitor the Registry for changes to COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH that correspond to system and user environment variables that do not correlate to known developer tools. Extra scrutiny should be placed on suspicious modification of these Registry keys by command line tools like wmic.exe, setx.exe, and Reg, monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection. For system, user, and process scope abuse of the COR_PROFILER, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.(Citation: Red Canary COR_PROFILER May 2020) Consider monitoring for DLL files that are associated with COR_PROFILER environment variables.

Ссылки

  1. Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.
  2. Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.
  3. Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.
  4. Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.
  5. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  6. Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.
  7. Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.
  8. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  9. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  10. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
Навигация

Каталоги