title: AppDomainManager (T1574.014)
id: df00tech-t1574-014
status: experimental
description: "Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. Known as AppDomainManager injection, this technique forces a legitimate .NET application to load and execute a malicious assembly by manipulating application configuration files (.exe.config), setting process environment variables (APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, or their COMPlus_ prefixed equivalents — COMPlus_AppDomainManagerAsm, COMPlus_AppDomainManagerType), or modifying HKLM\\SOFTWARE\\Microsoft\\.NETFramework registry keys. Because the malicious code executes inside a trusted .NET host process, it inherits the process's privileges and evades detections focused on process-spawn anomalies. Iran-nexus threat actor Yellow Liderc (IMPERIAL KITTEN) deployed IMAPLoader malware against maritime, shipping, and logistics sector victims using this technique. Real-world usage demonstrates that adversaries target high-value .NET host processes (IIS worker processes, MSBuild, InstallUtil, custom enterprise applications) to maximize privilege and blend into legitimate process telemetry."
references:
  - https://attack.mitre.org/techniques/T1574/014/
  - https://df00tech.com/detections/T1574.014
author: df00tech
date: 2026/03/13
tags:
  - attack.t1574.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software development environments (Visual Studio, JetBrains Rider) that create .exe.config files during build/debug cycles in user profile paths"
  - "Custom enterprise .NET applications legitimately installing themselves to %APPDATA% or %ProgramData% with valid config files referencing side-by-side assemblies"
  - "NuGet package installations or .NET tool installs via 'dotnet tool install' that place assemblies in %USERPROFILE%\\.dotnet\\tools or %APPDATA%\\NuGet directories"
  - "Legitimate AppDomainManager extensions used by application frameworks (Unity Engine, Mono runtime, .NET testing frameworks like xUnit AppDomain isolation)"
  - Security or monitoring software that hooks into .NET processes for telemetry collection using documented AppDomain extensibility
level: high