<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dotnet on Matt Swann — Detection Engineering &amp; Threat Intel</title><link>http://mattswann.dev/tags/dotnet/</link><description>Recent content in Dotnet on Matt Swann — Detection Engineering &amp; Threat Intel</description><image><title>Matt Swann — Detection Engineering &amp; Threat Intel</title><url>http://mattswann.dev/og-image.png</url><link>http://mattswann.dev/og-image.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Thu, 12 Feb 2026 23:26:36 -0700</lastBuildDate><atom:link href="http://mattswann.dev/tags/dotnet/index.xml" rel="self" type="application/rss+xml"/><item><title>AppDomainManager Injection — Bend .NET Assemblies to Your Will</title><link>http://mattswann.dev/posts/appdomainmanager-injection/</link><pubDate>Thu, 12 Feb 2026 23:26:36 -0700</pubDate><guid>http://mattswann.dev/posts/appdomainmanager-injection/</guid><description>A deep dive into AppDomainManager injection (T1574.014): how attackers use .NET&amp;rsquo;s own extensibility model to proxy execution of malicious assemblies through legitimate signed binaries, and what defenders can — and can&amp;rsquo;t — do about it.</description></item></channel></rss>