This is a variation of the technique originally discovered by
subtee and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the
<appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the
AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the
<etwEnable> element :)
- Copy some binary you love to say,
C:\Test. Lets use
aspnet_compiler.exeas an example
test.dllwith a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
test.dllon a remote SMB or HTTP(S) server