This document provides guidance for detecting AppDomain Injection techniques. Use this during Purple Team exercises to validate your detection capabilities.
| Indicator | Description |
|---|---|
*.exe.config in temp directories |
Config files shouldn't exist in %TEMP% |
| Unsigned DLLs near Microsoft binaries | Legitimate MS binaries don't ship with third-party DLLs |
| Microsoft binaries in unusual locations | powershell.exe in %TEMP% is suspicious |
| Indicator | Description |
|---|---|
| MS binary executing from %TEMP% | Legitimate execution is from System32/SysWOW64 |
| MS binary loading unsigned DLLs | Check ImageLoad events for unsigned modules |
| Child process spawned unexpectedly | calc.exe from powershell.exe in %TEMP% |
| Variable | Suspicion Level |
|---|---|
APPDOMAIN_MANAGER_ASM |
HIGH - Rarely used legitimately |
APPDOMAIN_MANAGER_TYPE |
HIGH - Rarely used legitimately |
COMPLUS_Version |
MEDIUM - Has legitimate uses |
| Indicator | Description |
|---|---|
| Process with APPDOMAIN_MANAGER_* | Capture env vars on process creation |
| Unexpected DLL loads in .NET processes | Monitor ImageLoad events |
| ETW events for AppDomainManager | Microsoft-Windows-DotNETRuntime provider |
Add these to your Sysmon config:
<!-- File Create: Config files in suspicious locations -->
<FileCreate onmatch="include">
<TargetFilename condition="end with">.exe.config</TargetFilename>
<TargetFilename condition="contains">\Temp\</TargetFilename>
<TargetFilename condition="contains">\AppData\</TargetFilename>
</FileCreate>
<!-- Image Load: Unsigned DLLs loaded by signed MS binaries -->
<ImageLoad onmatch="include">
<Signed condition="is">false</Signed>
</ImageLoad>
<!-- Process Create: Capture environment variables -->
<ProcessCreate onmatch="include">
<Image condition="end with">powershell.exe</Image>
<Image condition="end with">msbuild.exe</Image>
</ProcessCreate>title: AppDomainManager Config File Hijack
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects creation of .exe.config files in suspicious locations
author: Purple Team
references:
- https://attack.mitre.org/techniques/T1574/001/
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.exe.config'
filter_legitimate_paths:
TargetFilename|startswith:
- 'C:\Program Files'
- 'C:\Windows\Microsoft.NET'
condition: selection and not filter_legitimate_paths
level: high
tags:
- attack.defense_evasion
- attack.t1574.001title: AppDomainManager Injection via Environment Variables
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: experimental
description: Detects processes started with AppDomainManager environment variables
author: Purple Team
references:
- https://attack.mitre.org/techniques/T1055/
logsource:
product: windows
category: process_creation
detection:
selection_env:
ParentCommandLine|contains:
- 'APPDOMAIN_MANAGER_ASM'
- 'APPDOMAIN_MANAGER_TYPE'
condition: selection_env
level: high
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055title: Microsoft Binary Executed from Suspicious Location
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: experimental
description: Detects Microsoft-signed binaries running from temp directories
author: Purple Team
logsource:
product: windows
category: process_creation
detection:
selection_binary:
Image|endswith:
- '\powershell.exe'
- '\msbuild.exe'
- '\csc.exe'
- '\installutil.exe'
selection_path:
Image|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
condition: selection_binary and selection_path
level: high
tags:
- attack.defense_evasion
- attack.t1574.001Enable this ETW provider to monitor .NET runtime events:
# Start ETW trace
logman create trace DotNetTrace -p Microsoft-Windows-DotNETRuntime 0x8000 -o dotnet.etl
# Stop and analyze
logman stop DotNetTraceKey events to monitor:
- AppDomainLoad - New AppDomain created
- AssemblyLoad - Assembly loaded into process
- ModuleLoad - Module loaded
- Sysmon installed and configured
- Log forwarding to SIEM active
- Detection rules deployed
- Alert channels configured
- Baseline: Note current alert count
- Execute Config Hijack:
AppDomainInjector.exe --technique config --target powershell.exe --iocs
- Verify Detections:
- Check for Sysmon Event 11 (FileCreate)
- Check for Sysmon Event 7 (ImageLoad)
- Check for Sysmon Event 1 (ProcessCreate)
- Execute Env Var Hijack:
AppDomainInjector.exe --technique env --target powershell.exe --iocs
- Verify Detections:
- Check for process with suspicious env vars
- Check for ETW events
- Document Results: Note which detections fired/missed
| Technique | Expected Alerts |
|---|---|
| Config Hijack | File creation, unsigned DLL load, unusual process location |
| Env Var Hijack | Process with env vars (if captured), ETW events |
-
Environment Variables Not Captured
- Solution: Enable Sysmon with command line logging
- Solution: Use EDR that captures process environment
-
Unsigned DLL Loads Not Monitored
- Solution: Enable Sysmon ImageLoad events
- Solution: Implement application whitelisting
-
ETW Not Collected
- Solution: Enable .NET runtime ETW provider
- Solution: Forward to SIEM for analysis
- Application Whitelisting: Block execution from %TEMP%
- Code Signing: Require signed assemblies via policy
- Constrained Language Mode: Limit PowerShell capabilities
- AMSI Integration: Ensure AMSI scans loaded assemblies