Skip to content

T1218.013 Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).2

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).14 Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.3

Item Value
ID T1218.013
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Version 2.0
Created 22 September 2021
Last Modified 19 April 2022

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.
M1038 Execution Prevention Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References

  1. Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021. 

  2. LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021. 

  3. Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021. 

  4. Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.