Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).2
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex.
C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).14 Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its
/HMODULE command-line parameter (ex.
mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.3
|Sub-techniques||T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014|
|Created||22 September 2021|
|Last Modified||19 April 2022|
|M1042||Disable or Remove Feature or Program||Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.|
|M1038||Execution Prevention||Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.|
|ID||Data Source||Data Component|