How can defenders detect AppDomainManager hijacking attempts on .NET programs?

Defenders should monitor for unusual `.config` files (e.g., `program.exe.config` or `powershell_ise.exe.config`) in the same directories as .NET executables, especially system paths or common application directories. These config files often contain `appDomainManagerAssembly` and `appDomainManagerType` entries. Additionally, watch for unexpected DLL loading during the startup of managed applications. The article Use AppDomainManager to maintain persistence emphasizes that the primary detection point is the config file in the executable's directory.