Detection

As stated before, Luke Jennings' Countercept post on .NET Gargoyle makes for a good read and provides links to several other useful pages. Jennings' example uses timers to dynamically load and unload a malicious Assembly, assumed to be a call-back based implant. This avoids memory scanning detection by loading their payload for as little time as required before unloading it, chancing that scans won't be scanning the assembly during that short period. In the referenced article, Jennings' detections seem based around detecting the callback mechanism, over the dynamic loading and executing of the Assembly. A collision is eventually bound to happen, though we probably aren't that interested in beaconing implants and can find other ways to beacon.

Related posts by Jennings describe methods for detecting sketchy things through Event Tracing for Windows (ETW).

Joe Desimone's post for Endgame, "Hunting For In-Memory .NET Attacks" (2017-10-10), is another great source, highlighting how all sides are handling this medium. The proposed method of detection is Endgame's ClrGuard; another ETW-based solution that hooks the LoadImage() function called by the .NET Assembly.Load() function, logging and/or blocking anything attempting to dynamically load an Assembly.