Hiding in Plain Sight with App Domain Manager Injection

**App Domain Manager injection** is a .NET framework feature abuse that lets attackers direct the runtime to load attacker-controlled assemblies via .exe.config files, remote HTTP/UNC paths, or environment variables (APPDOMAIN_MANAGER_ASM / APPDOMAIN_MANAGER_TYPE). The technique executes code inside legitimate, often Microsoft-signed processes (affecting any .NET Framework application), can enable local or remote execution and lateral movement, has been observed in red-team reporting, and requires defenders to rely on behavioral telemetry (assembly resolution logs, Process Monitor, Fusion logging) and monitoring of configuration/environment changes for detection.