Skip to content

DET0433 Detecting Code Injection via mavinject.exe (App-V Injector)

Item Value
ID DET0433
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1218.013 (Mavinject)

Analytics

Windows

AN1207

Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Correlation interval (e.g., 5–10 minutes) linking mavinject start → ProcessAccess → module load/network from the target process.
DLLPathRegex Patterns for suspicious DLL locations (e.g., %TEMP%, Downloads, UNC shares) to reduce noise from legitimate injections.
TargetProcessAllowList Common legitimate targets for App-V (if used) to suppress; flag unusual targets like browsers, LSASS, Winlogon, EDR processes.
MinGrantedAccessSet Set of access rights that imply injection (VM_WRITE, VM_OPERATION, CREATE_THREAD). Tune for your EDR/sysmon formatting.
ParentProcessFilter Legitimate parents starting mavinject (e.g., App-V services) vs. suspicious parents (Office, script hosts, browsers).
ExternalIPAllowlist Known enterprise update/CDN ranges to exclude when correlating post-injection network activity.
SignedToUnsignedTransition Alerting when Microsoft-signed mavinject leads to loading unsigned DLLs in a target process.