TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Hiding in Plain Sight with App Domain Manager Injection

2026-02-19 · Read original ↗

ATT&CK techniques detected

9 predictions
T1055.001Dynamic-link Library Injection
99%
“by bending existing application logic to their will rather than introducing obviously malicious binaries. according to smith, a staff threat intelligence analyst here at huntress, app domain manager injection operates inside the. net framework ’ s initialization process. when a. …”
T1055.001Dynamic-link Library Injection
95%
“it works against any. net framework application, leverages trusted microsoft - signed binaries, and can be used for local or remote code execution. he also noted that app domain manager injection represents a later - stage technique in an attack chain. if detected, it indicates t…”
T1055.001Dynamic-link Library Injection
80%
“hiding in plain sight with app domain manager injection a little - known feature of the. net framework allows attackers to execute malicious code inside trusted, microsoft - signed applications without exploiting a software flaw or dropping a standalone payload. by manipulating c…”
T1055.001Dynamic-link Library Injection
69%
“team assessments from a defensive perspective, smith and hammond emphasized that unusual execution paths are a primary signal to investigate, particularly when trusted. net binaries that normally reside in system directories are launched from writable or unexpected locations. the…”
T1218System Binary Proxy Execution
61%
“normally finds a binary a third variation uses environment variables rather than configuration files. according to published microsoft documentation, an attacker can set appdomain _ manager _ asm and appdomain _ manager _ type to globally influence. net assembly resolution behavi…”
T1218System Binary Proxy Execution
41%
“team assessments from a defensive perspective, smith and hammond emphasized that unusual execution paths are a primary signal to investigate, particularly when trusted. net binaries that normally reside in system directories are launched from writable or unexpected locations. the…”
T1059.001PowerShell
37%
“normally finds a binary a third variation uses environment variables rather than configuration files. according to published microsoft documentation, an attacker can set appdomain _ manager _ asm and appdomain _ manager _ type to globally influence. net assembly resolution behavi…”
T1574.001DLL
31%
“team assessments from a defensive perspective, smith and hammond emphasized that unusual execution paths are a primary signal to investigate, particularly when trusted. net binaries that normally reside in system directories are launched from writable or unexpected locations. the…”
T1055.001Dynamic-link Library Injection
31%
“normally finds a binary a third variation uses environment variables rather than configuration files. according to published microsoft documentation, an attacker can set appdomain _ manager _ asm and appdomain _ manager _ type to globally influence. net assembly resolution behavi…”

Summary

Uncover how attackers use App Domain Manager injection to run code inside trusted .NET apps by tweaking config files and bypassing application controls. Learn key strategies to detect and stop these attacks.