Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (.exe or .dll binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)
Known as "AppDomainManager injection," adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (.config) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1574.014 | AppDomainManager | |
| CM-06 | Configuration Settings | mitigates | T1574.014 | AppDomainManager | |
| CM-05 | Access Restrictions for Change | mitigates | T1574.014 | AppDomainManager | |
| SI-10 | Information Input Validation | mitigates | T1574.014 | AppDomainManager | |
| SI-03 | Malicious Code Protection | mitigates | T1574.014 | AppDomainManager | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1574.014 | AppDomainManager | |
| CM-07 | Least Functionality | mitigates | T1574.014 | AppDomainManager | |
| SI-04 | System Monitoring | mitigates | T1574.014 | AppDomainManager | |
| AC-03 | Access Enforcement | mitigates | T1574.014 | AppDomainManager | |
| AC-06 | Least Privilege | mitigates | T1574.014 | AppDomainManager |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1574.014 | AppDomainManager | |
| action.hacking.variety.Hijack | To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes) | related-to | T1574.014 | AppDomainManager |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1574.014 | AppDomainManager |
Comments
This control can detect file changes on VMs indicative of hijacking of the AppDomainManager.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PUR-AUS-E5 | Audit Solutions | Technique Scores | T1574.014 | AppDomainManager |
Comments
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Microsoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.
License Requirements:
Microsoft 365 E3 and E5
References
|