Merge PR #4594 from @bohops - updating cor profiler rule

update: Enabling COR Profiler Environment Variables - Add additional values to increase coverage for potential COR CLR profiler abuse

---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>

rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml

@@ -1,14 +1,15 @@
 title: Enabling COR Profiler Environment Variables
 id: ad89044a-8f49-4673-9a55-cbd88a1b374f
 status: test
-description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
+description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
 references:
     - https://twitter.com/jamieantisocial/status/1304520651248668673
     - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
     - https://www.sans.org/cyber-security-summit/archives
-author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
+    - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
 date: 2020/09/10
-modified: 2023/08/17
+modified: 2023/11/24
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -18,9 +19,12 @@ logsource:
     category: registry_set
     product: windows
 detection:
-    selection:
+    selection_1:
         TargetObject|endswith:
             - '\COR_ENABLE_PROFILING'
             - '\COR_PROFILER'
-    condition: selection
-level: high
+            - '\CORECLR_ENABLE_PROFILING'
+    selection_2:
+        TargetObject|contains: '\CORECLR_PROFILER_PATH'
+    condition: 1 of selection_*
+level: medium