Technique on mitre.org

T1218.013: Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL). Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-455: Mavinject_AWL_Bypass: An attempt to bypass application-start restrictions by using mavinject.exe (a built-in utility that serves as the Microsoft Application Virtualization Injector within App-V)

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Adversaries may rename abusable binaries to evade detections, but the argument `INJECTRUNNING` is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.

ID	Data source and component	Description
DS0017	Command: Command Execution	Adversaries may rename abusable binaries to evade detections, but the argument `INJECTRUNNING` is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.
DS0009	Process: Process Creation	Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.

Mitigation

ID	M1038	Name	Execution Prevention	Description	Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

ID	M1042	Name	Disable or Remove Feature or Program	Description	Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.

ID	Name	Description
M1038	Execution Prevention	Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
M1042	Disable or Remove Feature or Program	Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.