Detect AppDomainManager in Splunk
Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. Known as AppDomainManager injection, this technique forces a legitimate .NET application to load and execute a malicious assembly by manipulating application configuration files (.exe.config), setting process environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, or their COMPlus_ prefixed equivalents — COMPlus_AppDomainManagerAsm, COMPlus_AppDomainManagerType), or modifying HKLM\SOFTWARE\Microsoft\.NETFramework registry keys. Because the malicious code executes inside a trusted .NET host process, it inherits the process's privileges and evades detections focused on process-spawn anomalies. Iran-nexus threat actor Yellow Liderc (IMPERIAL KITTEN) deployed IMAPLoader malware against maritime, shipping, and logistics sector victims using this technique. Real-world usage demonstrates that adversaries target high-value .NET host processes (IIS worker processes, MSBuild, InstallUtil, custom enterprise applications) to maximize privilege and blend into legitimate process telemetry.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.014 AppDomainManager
- Canonical reference
- https://attack.mitre.org/techniques/T1574/014/
SPL Detection Query
index=wineventlog (
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=12 OR EventCode=13)
TargetObject="*\\SOFTWARE\\Microsoft\\.NETFramework*"
(TargetObject="*AppDomainManagerAsm*" OR TargetObject="*AppDomainManagerType*")
)
OR
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=11
(TargetFilename="*.exe.config")
(TargetFilename="*\\Temp\\*" OR TargetFilename="*\\AppData\\*" OR TargetFilename="*\\ProgramData\\*" OR TargetFilename="*\\Users\\Public\\*" OR TargetFilename="*\\Downloads\\*" OR TargetFilename="*\\Desktop\\*")
)
OR
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=7
(ImageLoaded="*\\Temp\\*.dll" OR ImageLoaded="*\\AppData\\*.dll" OR ImageLoaded="*\\ProgramData\\*.dll" OR ImageLoaded="*\\Users\\Public\\*.dll" OR ImageLoaded="*\\Downloads\\*.dll")
(Image="*\\dotnet.exe" OR Image="*\\msbuild.exe" OR Image="*\\installutil.exe" OR Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR Image="*\\csc.exe" OR Image="*\\aspnet_compiler.exe" OR Image="*\\Microsoft.NET\\*")
)
)
| eval InjectionVector=case(
(EventCode=12 OR EventCode=13), "Registry-AppDomainManager",
EventCode=11, "ConfigFile-Suspicious",
EventCode=7, "AssemblyLoad-WritablePath",
true(), "Unknown"
)
| eval RiskScore=case(
InjectionVector="Registry-AppDomainManager", 90,
InjectionVector="ConfigFile-Suspicious", 60,
InjectionVector="AssemblyLoad-WritablePath", 50,
true(), 10
)
| eval Indicator=coalesce(TargetObject, TargetFilename, ImageLoaded)
| eval ProcessInfo=coalesce(Image, ProcessImage)
| where NOT (Image="*\\msiexec.exe" OR Image="*\\setup.exe" OR Image="*\\installer.exe" OR Image="*\\update.exe")
| table _time, host, User, EventCode, InjectionVector, RiskScore, Indicator, ProcessInfo, CommandLine, ParentImage
| sort - RiskScore, - _timeDetects AppDomainManager injection across three Sysmon event types. EventCode 12/13 (Registry Create/Set): monitors HKLM\SOFTWARE\Microsoft\.NETFramework for AppDomainManagerAsm and AppDomainManagerType value creation — this is the highest-confidence vector as these keys have almost no legitimate use. EventCode 11 (File Create): monitors for .exe.config file creation in writable/temp directories that adversaries use to hijack .NET application assembly loading. EventCode 7 (Image Load): monitors trusted .NET host processes loading DLL assemblies from non-standard writable locations, indicative of a successful AppDomainManager injection payload executing. Results are scored by injection vector for analyst prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software development environments creating .exe.config files in user-writable build output directories during compilation or debugging
- Custom enterprise applications legitimately deployed to %APPDATA% or %ProgramData% with .NET assembly side-loading configurations
- Security software using .NET AppDomain extensibility for process instrumentation and telemetry collection
- Unit testing frameworks (xUnit, NUnit, MSTest) that use AppDomain isolation for test execution in development machines
- .NET SDK tools and dotnet CLI commands that install global tools or deploy assemblies to user-local directories
Other platforms for T1574.014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppDomainManager Registry Key Injection
Expected signal: Sysmon EventID 12 (Registry Object Created) and EventID 13 (Registry Value Set) under TargetObject 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerAsm' and 'HKLM\SOFTWARE\Microsoft\.NETFramework\AppDomainManagerType'. Security EventID 4657 (Registry value modified) if object access auditing is enabled. Process creating the key will be reg.exe (or cmd.exe parent).
- Test 2AppDomainManager Config File Injection
Expected signal: Sysmon EventID 11 (File Created) with TargetFilename='%TEMP%\msbuild.exe.config'. Process creating the file will be cmd.exe. The file path falls under \Temp\ which matches the suspicious path filter. Security EventID 4663 if file auditing is enabled on the temp directory.
- Test 3AppDomainManager Environment Variable Injection
Expected signal: Sysmon EventID 1 (Process Create) for cmd.exe and child msbuild.exe. The environment block of msbuild.exe will contain APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE variables (visible in memory forensics). Sysmon EventID 3 may fire if .NET runtime attempts to locate the assembly via network path. MSBuild will fail with TypeLoadException in its output but process creation events fire regardless.
- Test 4Malicious AppDomainManager DLL Drop and Load Simulation
Expected signal: Sysmon EventID 1: csc.exe process creation compiling the malicious DLL. Sysmon EventID 11: Df00TechTestAssembly.dll created in %TEMP%, InstallUtil.exe.config created in .NETFramework directory. Sysmon EventID 7: InstallUtil.exe loading Df00TechTestAssembly.dll from %TEMP% (the injected AppDomainManager). Sysmon EventID 11: marker file df00tech-appdomain-injection-test.txt created in %TEMP% as proof-of-execution. MDE DeviceImageLoadEvents will show InstallUtil.exe loading a DLL from the temp path.
References (11)
- https://attack.mitre.org/techniques/T1574/014/
- https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/
- https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
- https://learn.microsoft.com/dotnet/framework/app-domains/application-domains
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomainmanager
- https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/runtime/appdomainmanagerassembly-element
- https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.014/T1574.014.md
- https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_appdomain_manager_injection.yml
Unlock Pro Content
Get the full detection package for T1574.014 including response playbook, investigation guide, and atomic red team tests.