From 87e693287912ce82af37bf3610277f9f3b406b0d Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Mon, 14 Sep 2020 19:53:24 -0500
Subject: [PATCH] added T1574.012 COR Profiler

---
 queries.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/queries.md b/queries.md
index d4b081b..1c3e6a2 100644
--- a/queries.md
+++ b/queries.md
@@ -37,3 +37,12 @@ Detection of UAC bypass through tampering with Shell Open for .ms-settings or .m
 ```
 SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
 ```
+
+### T1574.012 COR Profiler
+Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md)
+
+Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command.
+
+```
+(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_"
+```