1. Home
  2. Techniques
  3. Enterprise
  4. Hijack Execution Flow
  5. AppDomainManager

Hijack Execution Flow: AppDomainManager

ID Name
T1574.001 DLL Search Order Hijacking
T1574.002 DLL Side-Loading
T1574.004 Dylib Hijacking
T1574.005 Executable Installer File Permissions Weakness
T1574.006 Dynamic Linker Hijacking
T1574.007 Path Interception by PATH Environment Variable
T1574.008 Path Interception by Search Order Hijacking
T1574.009 Path Interception by Unquoted Path
T1574.010 Services File Permissions Weakness
T1574.011 Services Registry Permissions Weakness
T1574.012 COR_PROFILER
T1574.013 KernelCallbackTable
T1574.014 AppDomainManager

Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (.exe or .dll binaries compiled to run as .NET code) may be loaded into an application domain as executable code.[1]

Known as "AppDomainManager injection," adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (.config) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.[2][3][4]

ID: T1574.014
Sub-technique of:  T1574
Platforms: Windows
Contributors: Ivy Drexel; Thomas B
Version: 1.0
Created: 28 March 2024
Last Modified: 28 April 2024
Version Permalink

Procedure Examples

ID Name Description
S1152 IMAPLoader

IMAPLoader is executed via the AppDomainManager injection technique.[5]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files, especially unknown .NET assemblies and configuration files in user writable folder paths.
DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of .NET assemblies into processes (which may not always create standard image load events).

Look for image loads that are not recognized or not normally loaded into a process.[2][4]
DS0009 Process Process Creation

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the loading of unexpected .NET resources.

References

  1. Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.
  2. Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.
  3. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.
  1. Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.
  2. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.