create new application domain in .NET

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: create new application domain in .NET
    namespace: host-interaction/memory
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: file
      dynamic: unsupported  # requires class features
    att&ck:
      - Persistence::Hijack Execution Flow [T1574]
    mbc:
      - Persistence::Hijack Execution Flow [F0015]
    references:
      - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains
      - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
    examples:
      - 6f6acca4d3696e08af9ed80f237f3542c362ebc2bcc9759bb64aa3f5c007320e
  features:
    - and:
      - format: dotnet
      - class: System.AppDomainManager
      - class: System.AppDomainSetup
      - or:
        - string: "InitializeNewDomain"
        - string: "CreateDomain"

last edited: 2023-11-24 10:34:28