216.73.217.172

T1574.014: AppDomainManager

View on MITRE ATT&CK The MITRE Corporation · Published 28/03/2024 16:36 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID
T1574.014
Confidence
100/100
Revoked
No
Published
28/03/2024 16:36
Modified
27/03/2026 01:09
Author / Source
The MITRE Corporation

Platforms

windows

Description

Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) Known as "AppDomainManager injection," adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion
mitre-attack persistence
mitre-attack privilege-escalation

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references