T1574.014 AppDomainManager Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1574.014 — AppDomainManager Injection
// Detection covers three injection vectors: registry, config file, and suspicious assembly load
let SuspiciousPaths = dynamic([
    @"\Temp\", @"\AppData\Local\Temp\", @"\AppData\Roaming\",
    @"\ProgramData\", @"\Users\Public\", @"\Downloads\",
    @"\Desktop\", @"\AppData\Local\Microsoft\Windows\INetCache\"
]);
let DotNetHostProcesses = dynamic([
    "dotnet.exe", "msbuild.exe", "installutil.exe", "regsvcs.exe",
    "regasm.exe", "aspnet_compiler.exe", "csc.exe", "vbc.exe",
    "mscorsvw.exe", "ngen.exe", "dfsvc.exe"
]);
// Vector 1: Registry-based AppDomainManager hijack
let RegistryVector =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"SOFTWARE\Microsoft\.NETFramework"
| where RegistryValueName in~ ("AppDomainManagerAsm", "AppDomainManagerType")
| extend InjectionVector = "Registry"
| extend DetectionDetail = strcat("Registry key: ", RegistryKey, " | Value: ", RegistryValueName, " = ", RegistryValueData)
| project Timestamp, DeviceName, AccountName, ActionType, InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Vector 2: Suspicious .config file creation or modification
let ConfigFileVector =
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".exe.config" or (FileName endswith ".config" and FileName !endswith ".web.config")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (SuspiciousPaths)
    or (FolderPath !has @"\Program Files" and FolderPath !has @"\Windows\" and FolderPath !has @"\Program Files (x86)")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "installer.exe", "update.exe", "updater.exe")
| extend InjectionVector = "ConfigFile"
| extend DetectionDetail = strcat("Config file: ", FolderPath, "\\", FileName, " | Action: ", ActionType)
| project Timestamp, DeviceName, AccountName, ActionType, InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Vector 3: .NET host process loading assembly from suspicious/writable path
let AssemblyLoadVector =
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dll"
| where FolderPath has_any (SuspiciousPaths)
| where (InitiatingProcessFileName in~ (DotNetHostProcesses))
    or (InitiatingProcessFolderPath has @"\Microsoft.NET\Framework")
    or (InitiatingProcessFolderPath has @"\Microsoft.NET\Framework64")
| extend InjectionVector = "AssemblyLoad"
| extend DetectionDetail = strcat("Assembly: ", FolderPath, "\\", FileName, " loaded by ", InitiatingProcessFileName)
| project Timestamp, DeviceName, AccountName, ActionType = "AssemblyLoaded", InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
union RegistryVector, ConfigFileVector, AssemblyLoadVector
| sort by Timestamp desc

high severity medium confidence

Data Sources

Registry: Windows Registry Key Modification File: File Creation / File Modification Module: Module Load Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceImageLoadEvents

False Positives

Software development environments (Visual Studio, JetBrains Rider) that create .exe.config files during build/debug cycles in user profile paths
Custom enterprise .NET applications legitimately installing themselves to %APPDATA% or %ProgramData% with valid config files referencing side-by-side assemblies
NuGet package installations or .NET tool installs via 'dotnet tool install' that place assemblies in %USERPROFILE%\.dotnet\tools or %APPDATA%\NuGet directories
Legitimate AppDomainManager extensions used by application frameworks (Unity Engine, Mono runtime, .NET testing frameworks like xUnit AppDomain isolation)
Security or monitoring software that hooks into .NET processes for telemetry collection using documented AppDomain extensibility

Splunk

spl

index=wineventlog (
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    (EventCode=12 OR EventCode=13)
    TargetObject="*\\SOFTWARE\\Microsoft\\.NETFramework*"
    (TargetObject="*AppDomainManagerAsm*" OR TargetObject="*AppDomainManagerType*")
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    EventCode=11
    (TargetFilename="*.exe.config")
    (TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\Downloads\\*" OR TargetFilename="*\\Desktop\\*")
  )
  OR
  (
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    EventCode=7
    (ImageLoaded="*\\Temp\\*.dll" OR ImageLoaded="*\\AppData\\*.dll" OR ImageLoaded="*\\ProgramData\\*.dll" OR ImageLoaded="*\\Users\\Public\\*.dll" OR ImageLoaded="*\\Downloads\\*.dll")
    (Image="*\\dotnet.exe" OR Image="*\\msbuild.exe" OR Image="*\\installutil.exe" OR Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR Image="*\\csc.exe" OR Image="*\\aspnet_compiler.exe" OR Image="*\\Microsoft.NET\\*")
  )
)
| eval InjectionVector=case(
    (EventCode=12 OR EventCode=13), "Registry-AppDomainManager",
    EventCode=11, "ConfigFile-Suspicious",
    EventCode=7, "AssemblyLoad-WritablePath",
    true(), "Unknown"
  )
| eval RiskScore=case(
    InjectionVector="Registry-AppDomainManager", 90,
    InjectionVector="ConfigFile-Suspicious", 60,
    InjectionVector="AssemblyLoad-WritablePath", 50,
    true(), 10
  )
| eval Indicator=coalesce(TargetObject, TargetFilename, ImageLoaded)
| eval ProcessInfo=coalesce(Image, ProcessImage)
| where NOT (Image="*\\msiexec.exe" OR Image="*\\setup.exe" OR Image="*\\installer.exe" OR Image="*\\update.exe")
| table _time, host, User, EventCode, InjectionVector, RiskScore, Indicator, ProcessInfo, CommandLine, ParentImage
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Registry: Windows Registry Key Creation/Modification File: File Creation Module: Module Load Sysmon Event ID 7, 11, 12, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software development environments creating .exe.config files in user-writable build output directories during compilation or debugging
Custom enterprise applications legitimately deployed to %APPDATA% or %ProgramData% with .NET assembly side-loading configurations
Security software using .NET AppDomain extensibility for process instrumentation and telemetry collection
Unit testing frameworks (xUnit, NUnit, MSTest) that use AppDomain isolation for test execution in development machines
.NET SDK tools and dotnet CLI commands that install global tools or deploy assemblies to user-local directories

Elastic Security (EQL)

eql

registry where event.type in ("creation", "change")
  and registry.path : ("*\\AppDomainManager*", "*\\APPDOMAIN_MANAGER_ASM*", "*\\APPDOMAIN_MANAGER_TYPE*")
  and not process.name : ("msiexec.exe", "devenv.exe")

high severity medium confidence

Data Sources

Elastic Endpoint Security Registry events

Required Tables

logs-endpoint.events.registry.*

False Positives

Legitimate software installers that update components in TEMP during multi-step installation
Enterprise deployment tools (SCCM, Intune) staging and modifying binaries in temp locations
Self-updating applications that modify their own components before execution
Antivirus software modifying installer binaries during scanning or remediation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "CommandLine", "Image" AS ProcessImage,
  "TargetFilename" AS ModifiedFile,
  CASE
    WHEN "TargetFilename" ILIKE '%\\temp\\%.exe' AND eventid = 11 THEN 90
    WHEN "TargetFilename" ILIKE '%\\temp\\%.dll' AND eventid = 11 THEN 80
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN eventid = 11 AND "TargetFilename" ILIKE '%\\temp\\%.exe' THEN 'EXE Created in Temp'
    WHEN eventid = 1 AND "Image" ILIKE '%\\temp\\%' THEN 'Elevated Execution from Temp'
    ELSE 'Suspicious File Activity'
  END AS AlertType
FROM events
WHERE eventid IN (1, 11)
  AND ("Image" ILIKE '%\\temp\\%' OR "TargetFilename" ILIKE '%\\temp\\%')
  AND ("Image" ILIKE '%.exe%' OR "TargetFilename" ILIKE '%.exe' OR "TargetFilename" ILIKE '%.dll')
  AND username NOT ILIKE '%SYSTEM%'
  AND username NOT ILIKE '%TrustedInstaller%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

events

False Positives

Legitimate multi-stage installer processes that modify binaries during installation
Enterprise software deployment (SCCM, Intune) staging binaries in temp directories
Self-updating applications modifying their own components
Antivirus software modifying installer files during remediation

Sumo Logic CSE

sql

_sourceCategory=*sysmon*
| json auto
| where EventCode in ("1","11")
| eval FilePath = if(EventCode = "1", Image, TargetFilename)
| where matches(lower(FilePath), "\\temp\\")
| where matches(lower(FilePath), "(\.exe|\.dll)$")
| eval IsInstaller = if(EventCode = "1" and matches(lower(Image), "(setup|install|msiexec|update)"), "true", "false")
| eval IsBinaryCreate = if(EventCode = "11", "true", "false")
| where User != "NT AUTHORITY\SYSTEM" and !isNull(User)
| eval RiskScore = if(IsInstaller = "true" or IsBinaryCreate = "true", 75, 40)
| stats values(EventCode) AS EventTypes, values(FilePath) AS Files, count AS EventCount by _sourceHost, User, _timeslice 10m
| where EventCount > 1
| sort by EventCount desc

high severity medium confidence

Data Sources

Sysmon Event ID 1 Sysmon Event ID 11

Required Tables

_sourceCategory=*sysmon*

False Positives

Multi-stage installers that legitimately modify components in TEMP during installation
Enterprise deployment solutions staging installer binaries in temporary locations
Self-updating applications that patch their own binaries before running them
Software that extracts and immediately executes components from archives

Google Chronicle / SecOps

yaral

rule T1574_014_hijack_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution flow hijacking via installer or DLL path manipulation"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1574.014"
    reference = "https://attack.mitre.org/techniques/T1574/014/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
      re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
    not $e.principal.user.user_display_name = "SYSTEM"

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate multi-stage installer processes that modify binaries during installation phases
Enterprise software deployment tools staging installer components in temp directories
Self-updating applications that download and replace their own binaries
Archive utilities that extract executables to temp before running them

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
    ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate enterprise installers that update extracted binaries during installation
Software deployment tools (SCCM, Intune) staging and modifying installers in temp
Self-patching applications that download and replace their own components
Automated software update mechanisms that modify binaries before execution

AppDomainManager

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections