Detect AppDomainManager in Google Chronicle
Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. Known as AppDomainManager injection, this technique forces a legitimate .NET application to load and execute a malicious assembly by manipulating application configuration files (.exe.config), setting process environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, or their COMPlus_ prefixed equivalents — COMPlus_AppDomainManagerAsm, COMPlus_AppDomainManagerType), or modifying HKLM\SOFTWARE\Microsoft\.NETFramework registry keys. Because the malicious code executes inside a trusted .NET host process, it inherits the process's privileges and evades detections focused on process-spawn anomalies. Iran-nexus threat actor Yellow Liderc (IMPERIAL KITTEN) deployed IMAPLoader malware against maritime, shipping, and logistics sector victims using this technique. Real-world usage demonstrates that adversaries target high-value .NET host processes (IIS worker processes, MSBuild, InstallUtil, custom enterprise applications) to maximize privilege and blend into legitimate process telemetry.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.014 AppDomainManager
- Canonical reference
- https://attack.mitre.org/techniques/T1574/014/
YARA-L Detection Query
rule T1574_014_hijack_execution {
meta:
author = "Detection Engineering"
description = "Detects execution flow hijacking via installer or DLL path manipulation"
severity = "high"
confidence = "medium"
mitre_attack = "T1574.014"
reference = "https://attack.mitre.org/techniques/T1574/014/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)\\temp\\.*\.exe`) or
re.regex($e.target.process.file.full_path, `(?i)\\appdata\\.*\.exe`)
)
not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|trustedinstaller|wusa|dpinst)`)
not $e.principal.user.user_display_name = "SYSTEM"
condition:
$e
}Google Chronicle YARA-L 2.0 detection for AppDomainManager. Detects AppDomainManager injection across three attack vectors using Microsoft Defender for Endpoint tables. Vector 1 (high confidence): Registry modification creating AppDomainManagerAsm or AppDomain
Data Sources
Required Tables
False Positives & Tuning
- Legitimate multi-stage installer processes that modify binaries during installation phases
- Enterprise software deployment tools staging installer components in temp directories
- Self-updating applications that download and replace their own binaries
- Archive utilities that extract executables to temp before running them
Other platforms for T1574.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppDomainManager Registry Key Injection
Expected signal: Sysmon EventID 12 (Registry Object Created) and EventID 13 (Registry Value Set) under TargetObject 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerAsm' and 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerType'. Security EventID 4657 (Registry value modified) if object access auditing is enabled. Process creating the key will be reg.exe (or cmd.exe parent).
- Test 2AppDomainManager Config File Injection
Expected signal: Sysmon EventID 11 (File Created) with TargetFilename='%TEMP%\msbuild.exe.config'. Process creating the file will be cmd.exe. The file path falls under \Temp\ which matches the suspicious path filter. Security EventID 4663 if file auditing is enabled on the temp directory.
- Test 3AppDomainManager Environment Variable Injection
Expected signal: Sysmon EventID 1 (Process Create) for cmd.exe and child msbuild.exe. The environment block of msbuild.exe will contain APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE variables (visible in memory forensics). Sysmon EventID 3 may fire if .NET runtime attempts to locate the assembly via network path. MSBuild will fail with TypeLoadException in its output but process creation events fire regardless.
- Test 4Malicious AppDomainManager DLL Drop and Load Simulation
Expected signal: Sysmon EventID 1: csc.exe process creation compiling the malicious DLL. Sysmon EventID 11: Df00TechTestAssembly.dll created in %TEMP%, InstallUtil.exe.config created in .NETFramework directory. Sysmon EventID 7: InstallUtil.exe loading Df00TechTestAssembly.dll from %TEMP% (the injected AppDomainManager). Sysmon EventID 11: marker file df00tech-appdomain-injection-test.txt created in %TEMP% as proof-of-execution. MDE DeviceImageLoadEvents will show InstallUtil.exe loading a DLL from the temp path.
References (11)
- https://attack.mitre.org/techniques/T1574/014/
- https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
- https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- https://learn.microsoft.com/dotnet/framework/app-domains/application-domains
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomainmanager
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/appdomainmanagerassembly-element
- https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.014/T1574.014.md
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_appdomain_manager_injection.yml
Unlock Pro Content
Get the full detection package for T1574.014 including response playbook, investigation guide, and atomic red team tests.