Skip to content

DET0517 Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.

Item Value
ID DET0517
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.014 (AppDomainManager)

Analytics

Windows

AN1433

Detection focuses on unauthorized manipulation of .NET AppDomainManager behavior. Defenders may observe suspicious creation of new AppDomains within trusted processes, anomalous loading of assemblies via non-standard configuration files, or registry/environment variable changes redirecting AppDomainManager to malicious assemblies. Correlated events include config file tampering, new process creation of .NET host processes (e.g., w3wp.exe, powershell.exe) with modified runtime parameters, and module loads of unusual or unsigned .NET DLLs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Mutable Elements
Field Description
TargetProcesses List of monitored .NET host processes (e.g., powershell.exe, w3wp.exe, svchost.exe).
AssemblyWhitelist Known benign .NET assemblies expected to load via AppDomainManager.
ConfigFilePaths Directory paths where configuration tampering should be monitored (application directories, system32, program files).
TimeWindow Correlation period between file modification of config/environment settings and subsequent anomalous module load.