1. Home
  2. ATT&CK Techniques
  3. T1218.013 Mavinject

T1218.013 Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-05.02 Mobile code prevention Mitigates T1218.013 Mavinject
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-06 Configuration Settings mitigates T1218.013 Mavinject
    CM-11 User-installed Software mitigates T1218.013 Mavinject
    SI-16 Memory Protection mitigates T1218.013 Mavinject
    RA-05 Vulnerability Monitoring and Scanning mitigates T1218.013 Mavinject
    CM-08 System Component Inventory mitigates T1218.013 Mavinject
    SI-10 Information Input Validation mitigates T1218.013 Mavinject
    SI-03 Malicious Code Protection mitigates T1218.013 Mavinject
    SI-07 Software, Firmware, and Information Integrity mitigates T1218.013 Mavinject
    CM-02 Baseline Configuration mitigates T1218.013 Mavinject
    CM-07 Least Functionality mitigates T1218.013 Mavinject
    SI-04 System Monitoring mitigates T1218.013 Mavinject

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.malware.variety.Export data Export data to another site or system related-to T1218.013 Mavinject
    action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.013 Mavinject

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    alerts_for_windows_machines Alerts for Windows Machines technique_scores T1218.013 Mavinject
    Comments
    This control may detect usage of the argument INJECTRUNNING which is required for mavinject.exe.
    References
    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
    2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines