This detection rule focuses on monitoring the potential misuse of the COR_PROFILER environment variable which can be exploited by adversaries to alter the execution flow of .NET applications. The COR_PROFILER is designed for profiling .NET managed code by loading an unmanaged DLL when a .NET process starts. Cyber adversaries may manipulate this variable to load malicious profiling libraries that enable them to monitor, intercept, or modify the behavior of the CLR runtime environment. The rule is particularly relevant in scenarios where Script Block Logging is enabled, as it captures and reviews PowerShell scripts that include the suspicious environment variables: COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH. The presence of these variables in executed scripts may indicate an attempt to hijack .NET process execution, thus acting as a red flag in cybersecurity monitoring. The rule is tagged under medium severity, meaning while it does present potential risks, it may often yield false positives with legitimate administrative powershell scripts also using the same environmental variables.