1. Home
  2. ATT&CK Techniques
  3. T1218.013 Mavinject

T1218.013 Mavinject Mappings

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-11 User-installed Software Protects T1218.013 Mavinject
CM-2 Baseline Configuration Protects T1218.013 Mavinject
CM-6 Configuration Settings Protects T1218.013 Mavinject
CM-7 Least Functionality Protects T1218.013 Mavinject
CM-8 System Component Inventory Protects T1218.013 Mavinject
RA-5 Vulnerability Monitoring and Scanning Protects T1218.013 Mavinject
SI-10 Information Input Validation Protects T1218.013 Mavinject
SI-16 Memory Protection Protects T1218.013 Mavinject
SI-3 Malicious Code Protection Protects T1218.013 Mavinject
SI-4 System Monitoring Protects T1218.013 Mavinject
SI-7 Software, Firmware, and Information Integrity Protects T1218.013 Mavinject
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.013 System Binary Proxy Execution: Mavinject