AppDomainManager Injection — Bend .NET Assemblies to Your Will

A deep dive into AppDomainManager injection (T1574.014): how attackers use .NET’s own extensibility model to proxy execution of malicious assemblies through legitimate signed binaries, and what defenders can — and can’t — do about it.

February 12, 2026 · 7 min · Matt Swann