T1218.013 Mavinject
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).2
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL
).14 Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE
command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER
). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.3
Item | Value |
---|---|
ID | T1218.013 |
Sub-techniques | T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014 |
Tactics | TA0005 |
Platforms | Windows |
Version | 2.0 |
Created | 22 September 2021 |
Last Modified | 19 April 2022 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program | Consider removing mavinject.exe if Microsoft App-V is not used within a given environment. |
M1038 | Execution Prevention | Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | Process Creation |
References
-
Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021. ↩
-
LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021. ↩
-
Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021. ↩
-
Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021. ↩