AppDomain Manager Injection: New Techniques For Red Teams

AppDomain Manager Injection is a very versatile and useful technique for red team operators. This technique allows you to effectively turn any Microsoft.NET application on a Windows host into a lolbin (Living Off the Land Binary) by forcing the application to load a specially crafted .

AppDomain Manager Injection is a powerful technique used by red team operators to achieve a variety of objectives. It involves loading a malicious .NET assembly into a target process, allowing the operator to execute arbitrary code. This technique can be used to package AppDomain Manager DLLs in initial access payloads, perform lateral movement, and even utilize this method for persistence through methods such as scheduled tasks or service binaries.

The article explains two ways to trigger this technique: creating a configuration file and specifying the AppDomain Manager libraries assembly name and type within the appdomainManagerAssembly and appdomainManagerType properties, or setting three process environment variables APPDOMAIN_MANAGER_ASM, APPDOMAIN_MANAGER_TYPE, and COMPLUS_VERSION. It also demonstrates how to use Image Path spoofing to force any .NET application on disk to load a malicious DLL from an arbitrary location.

The article then explains how to use C# code to perform AppDomain Manager Injection via WMI. It takes in the remote host, process to create, and an optional username / password combination. The code copies the current processes environment block into a string array, and then adds the required environment variables for AppDomain Manager Injection to trigger. The environment block is then passed into the Win32_ProcessStartup WMI class, and then passed to the Win32_Process class, which contains the Create method that will eventually be invoked to start the target process.

The article also discusses the GhostLoader tool, which is a tool developed by netbiosX that allows for the injection and detection of AppDomainManager. It can be used to detect malicious activity and prevent unauthorized access.

Overall, this article provides a comprehensive overview of AppDomain Manager Injection and how it can be used for red team operations. It explains how to trigger the technique, how to use it for lateral movement, and how to use C# code to perform AppDomain Manager Injection via WMI. It also provides techniques to mitigate the flaws associated with earlier AppDomain Manager Injection methods. Additionally, it discusses the GhostLoader tool, which can be used to detect malicious activity and prevent unauthorized access. By understanding the injection and detection of AppDomainManager, as well as the Octoberfest7 Original Tweet and Snovvcrash ImagePath Spoofing PoC, developers can take steps to protect their applications from malicious actors.

This article provides a comprehensive overview of AppDomain Manager Injection

📓 AppDomain Manager Injection: New Techniques For Red Teams

👉🏽 AppDomain Manager Injection is a very versatile and useful technique for red team operators. This technique allows you to effectively turn any Microsoft.NET application on a Windows host into a lolbin (Living Off the Land Binary) by forcing the application to load a specially crafted . and its use for red team operations. Loading a malicious .NET assembly into a target process allows arbitrary code execution. AppDomain Manager Injection can be used for initial access payloads, lateral movement, and persistence. Two ways to trigger this technique are explained using configuration files and process environment variables. Image Path spoofing can force any .NET application to load a malicious DLL from an arbitrary location. C# code can be used via WMI to perform AppDomain Manager Injection. GhostLoader tool can be used to detect malicious activity and prevent unauthorized access. Mitigation techniques for AppDomain Manager Injection flaws are also provided. Understanding injection and detection of AppDomainManager can help protect applications from malicious actors.

🔗 source link: https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/appdomain-manager-injection-new-techniques-for-red-teams

#AppDomainManagerInjection #RedTeamOperations #LateralMovement #CSharpCode #GhostLoaderTool