- Tactics
- stealth , Execution
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1574.014
Description
Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (.exe or .dll binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)
Known as “AppDomainManager injection,” adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (.config) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the stealth, Execution tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1059 — Command and Scripting Interpreter
- T1070 — Indicator Removal
- T1072 — Software Deployment Tools
- T1078 — Valid Accounts
- T1106 — Native API