Description
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)
Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.
In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.
Execution PreventionM1038
Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has injected its malicious payload into a running process through Windows utility Microsoft Appli... |
References
- Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.
- LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.
- Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.
- Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.
Frequently Asked Questions
What is T1218.013 (Mavinject)?
T1218.013 is a MITRE ATT&CK technique named 'Mavinject'. It belongs to the Stealth tactic(s). Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external proce...
How can T1218.013 be detected?
Detection of T1218.013 (Mavinject) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.013?
There are 2 documented mitigations for T1218.013. Key mitigations include: Disable or Remove Feature or Program, Execution Prevention.
Which threat groups use T1218.013?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.