Detection focuses on unauthorized manipulation of .NET AppDomainManager behavior. Defenders may observe suspicious creation of new AppDomains within trusted processes, anomalous loading of assemblies via non-standard configuration files, or registry/environment variable changes redirecting AppDomainManager to malicious assemblies. Correlated events include config file tampering, new process creation of .NET host processes (e.g., w3wp.exe, powershell.exe) with modified runtime parameters, and module loads of unusual or unsigned .NET DLLs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TargetProcesses | List of monitored .NET host processes (e.g., powershell.exe, w3wp.exe, svchost.exe). |
| AssemblyWhitelist | Known benign .NET assemblies expected to load via AppDomainManager. |
| ConfigFilePaths | Directory paths where configuration tampering should be monitored (application directories, system32, program files). |
| TimeWindow | Correlation period between file modification of config/environment settings and subsequent anomalous module load. |