Skip to content

Commit a158eca

Browse files
rabbitstackrabbitstack
committed
feat(rules): New AppDomain Manager injection via CLR search order hijacking rule
Adversaries can abuse the CLR search order to load the malicious assembly from a writable directory by simply following the assembly file naming conventions and ensuring the .NET LOBIN is executed with the right environment variables set.
1 parent e08bfa6 commit a158eca

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml

+36
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
name: AppDomain Manager injection via CLR search order hijacking
2+
id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18
3+
version: 1.0.0
4+
description: |
5+
Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies.
6+
The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments
7+
(called application domains) inside a process to host the execution of .NET applications. Assemblies may be loaded
8+
into an application domain as executable code.
9+
10+
Adversaries can abuse the CLR search order to load the malicious assembly from a writable directory by
11+
simply following the assembly file naming conventions and ensuring the .NET LOBIN is executed with the
12+
right environment variables set.
13+
labels:
14+
tactic.id: TA0005
15+
tactic.name: Defense Evasion
16+
tactic.ref: https://attack.mitre.org/tactics/TA0005/
17+
technique.id: T1574
18+
technique.name: Hijack Execution Flow
19+
technique.ref: https://attack.mitre.org/techniques/T1574/
20+
subtechnique.id: T1574.014
21+
subtechnique.name: AppDomainManager
22+
subtechnique.ref: https://attack.mitre.org/techniques/T1574/014/
23+
references:
24+
- https://ipslav.github.io/2023-12-12-let-me-manage-your-appdomain/
25+
- https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
26+
27+
condition: >
28+
(load_unsigned_or_untrusted_module) and ((base(dir(image.name)) ~= base(image.name, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith base(image.name, false)))
29+
and
30+
pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
31+
32+
output: >
33+
Process %ps.exe loaded untrusted .NET assembly %image.name from suspicious location
34+
severity: high
35+
36+
min-engine-version: 2.3.0

0 commit comments

Comments
 (0)