How can an attacker hijack a system .NET program like powershell_ise.exe using AppDomainManager?

An attacker can hijack `powershell_ise.exe` by placing a malicious `AppDomainManager` DLL (e.g., `DomainManager.dll`) and a config file (`powershell_ise.exe.config`) in the same directory as the executable. The config file specifies the assembly and type of the custom `AppDomainManager`. For system paths like `C:\Windows\System32\WindowsPowerShell\v1.0`, administrator privileges are required. Once configured, every launch of `powershell_ise.exe` will execute the attacker's payload before the main application runs. This technique is demonstrated in Use AppDomainManager to maintain persistence.