Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-11 | User-installed Software | Protects | T1218.013 | Mavinject |
CM-02 | Baseline Configuration | Protects | T1218.013 | Mavinject |
CM-06 | Configuration Settings | Protects | T1218.013 | Mavinject |
CM-07 | Least Functionality | Protects | T1218.013 | Mavinject |
CM-08 | System Component Inventory | Protects | T1218.013 | Mavinject |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1218.013 | Mavinject |
SI-10 | Information Input Validation | Protects | T1218.013 | Mavinject |
SI-16 | Memory Protection | Protects | T1218.013 | Mavinject |
SI-03 | Malicious Code Protection | Protects | T1218.013 | Mavinject |
SI-04 | System Monitoring | Protects | T1218.013 | Mavinject |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1218.013 | Mavinject |