T1574.014 Microsoft Sentinel · KQL

Detect AppDomainManager in Microsoft Sentinel

Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. Known as AppDomainManager injection, this technique forces a legitimate .NET application to load and execute a malicious assembly by manipulating application configuration files (.exe.config), setting process environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, or their COMPlus_ prefixed equivalents — COMPlus_AppDomainManagerAsm, COMPlus_AppDomainManagerType), or modifying HKLM\SOFTWARE\Microsoft\.NETFramework registry keys. Because the malicious code executes inside a trusted .NET host process, it inherits the process's privileges and evades detections focused on process-spawn anomalies. Iran-nexus threat actor Yellow Liderc (IMPERIAL KITTEN) deployed IMAPLoader malware against maritime, shipping, and logistics sector victims using this technique. Real-world usage demonstrates that adversaries target high-value .NET host processes (IIS worker processes, MSBuild, InstallUtil, custom enterprise applications) to maximize privilege and blend into legitimate process telemetry.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.014 AppDomainManager
Canonical reference
https://attack.mitre.org/techniques/T1574/014/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1574.014 — AppDomainManager Injection
// Detection covers three injection vectors: registry, config file, and suspicious assembly load
let SuspiciousPaths = dynamic([
    @"\Temp\", @"\AppData\Local\Temp\", @"\AppData\Roaming\",
    @"\ProgramData\", @"\Users\Public\", @"\Downloads\",
    @"\Desktop\", @"\AppData\Local\Microsoft\Windows\INetCache\"
]);
let DotNetHostProcesses = dynamic([
    "dotnet.exe", "msbuild.exe", "installutil.exe", "regsvcs.exe",
    "regasm.exe", "aspnet_compiler.exe", "csc.exe", "vbc.exe",
    "mscorsvw.exe", "ngen.exe", "dfsvc.exe"
]);
// Vector 1: Registry-based AppDomainManager hijack
let RegistryVector =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"SOFTWARE\Microsoft\.NETFramework"
| where RegistryValueName in~ ("AppDomainManagerAsm", "AppDomainManagerType")
| extend InjectionVector = "Registry"
| extend DetectionDetail = strcat("Registry key: ", RegistryKey, " | Value: ", RegistryValueName, " = ", RegistryValueData)
| project Timestamp, DeviceName, AccountName, ActionType, InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Vector 2: Suspicious .config file creation or modification
let ConfigFileVector =
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".exe.config" or (FileName endswith ".config" and FileName !endswith ".web.config")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (SuspiciousPaths)
    or (FolderPath !has @"\Program Files" and FolderPath !has @"\Windows\" and FolderPath !has @"\Program Files (x86)")
| where InitiatingProcessFileName !in~ ("msiexec.exe", "setup.exe", "installer.exe", "update.exe", "updater.exe")
| extend InjectionVector = "ConfigFile"
| extend DetectionDetail = strcat("Config file: ", FolderPath, "\\", FileName, " | Action: ", ActionType)
| project Timestamp, DeviceName, AccountName, ActionType, InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
// Vector 3: .NET host process loading assembly from suspicious/writable path
let AssemblyLoadVector =
DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dll"
| where FolderPath has_any (SuspiciousPaths)
| where (InitiatingProcessFileName in~ (DotNetHostProcesses))
    or (InitiatingProcessFolderPath has @"\Microsoft.NET\Framework")
    or (InitiatingProcessFolderPath has @"\Microsoft.NET\Framework64")
| extend InjectionVector = "AssemblyLoad"
| extend DetectionDetail = strcat("Assembly: ", FolderPath, "\\", FileName, " loaded by ", InitiatingProcessFileName)
| project Timestamp, DeviceName, AccountName, ActionType = "AssemblyLoaded", InjectionVector, DetectionDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
union RegistryVector, ConfigFileVector, AssemblyLoadVector
| sort by Timestamp desc
high severity medium confidence

Detects AppDomainManager injection across three attack vectors using Microsoft Defender for Endpoint tables. Vector 1 (high confidence): Registry modification creating AppDomainManagerAsm or AppDomainManagerType values under HKLM\SOFTWARE\Microsoft\.NETFramework — a rare operation in normal environments. Vector 2 (medium confidence): Creation or modification of .exe.config files in user-writable or temporary paths by non-installer processes, which adversaries use to redirect assembly loading for target applications. Vector 3 (medium confidence): Trusted .NET host processes (dotnet.exe, msbuild.exe, installutil.exe, etc.) loading DLL assemblies from writable directories including %TEMP%, %APPDATA%, %ProgramData%, and %PUBLIC%, which is anomalous for legitimate software installations that deploy to Program Files or Windows directories.

Data Sources

Registry: Windows Registry Key ModificationFile: File Creation / File ModificationModule: Module LoadProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceFileEventsDeviceImageLoadEvents

False Positives & Tuning

  • Software development environments (Visual Studio, JetBrains Rider) that create .exe.config files during build/debug cycles in user profile paths
  • Custom enterprise .NET applications legitimately installing themselves to %APPDATA% or %ProgramData% with valid config files referencing side-by-side assemblies
  • NuGet package installations or .NET tool installs via 'dotnet tool install' that place assemblies in %USERPROFILE%\.dotnet\tools or %APPDATA%\NuGet directories
  • Legitimate AppDomainManager extensions used by application frameworks (Unity Engine, Mono runtime, .NET testing frameworks like xUnit AppDomain isolation)
  • Security or monitoring software that hooks into .NET processes for telemetry collection using documented AppDomain extensibility
Download portable Sigma rule (.yml)

Other platforms for T1574.014

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AppDomainManager Registry Key Injection

    Expected signal: Sysmon EventID 12 (Registry Object Created) and EventID 13 (Registry Value Set) under TargetObject 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerAsm' and 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerType'. Security EventID 4657 (Registry value modified) if object access auditing is enabled. Process creating the key will be reg.exe (or cmd.exe parent).

  2. Test 2AppDomainManager Config File Injection

    Expected signal: Sysmon EventID 11 (File Created) with TargetFilename='%TEMP%\msbuild.exe.config'. Process creating the file will be cmd.exe. The file path falls under \Temp\ which matches the suspicious path filter. Security EventID 4663 if file auditing is enabled on the temp directory.

  3. Test 3AppDomainManager Environment Variable Injection

    Expected signal: Sysmon EventID 1 (Process Create) for cmd.exe and child msbuild.exe. The environment block of msbuild.exe will contain APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE variables (visible in memory forensics). Sysmon EventID 3 may fire if .NET runtime attempts to locate the assembly via network path. MSBuild will fail with TypeLoadException in its output but process creation events fire regardless.

  4. Test 4Malicious AppDomainManager DLL Drop and Load Simulation

    Expected signal: Sysmon EventID 1: csc.exe process creation compiling the malicious DLL. Sysmon EventID 11: Df00TechTestAssembly.dll created in %TEMP%, InstallUtil.exe.config created in .NETFramework directory. Sysmon EventID 7: InstallUtil.exe loading Df00TechTestAssembly.dll from %TEMP% (the injected AppDomainManager). Sysmon EventID 11: marker file df00tech-appdomain-injection-test.txt created in %TEMP% as proof-of-execution. MDE DeviceImageLoadEvents will show InstallUtil.exe loading a DLL from the temp path.

Last updated: 2026-03-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1574.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTable

Related Techniques

T1574Hijack Execution FlowT1574.001DLLT1574.002DLL Side-LoadingT1055Process InjectionT1218.004InstallUtilT1218.003CMSTPT1027.011Fileless StorageT1059.005Visual BasicT1036.003Rename Legitimate UtilitiesT1553.002Code Signing

Same Tactic: Persistence

Popular Detections