Mavinject Inject DLL Into Running Process

 1title: Mavinject Inject DLL Into Running Process
 2id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
 3related:
 4    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
 5      type: obsolete
 6status: test
 7description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
11    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
12    - https://twitter.com/gN3mes1s/status/941315826107510784
13    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
14    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
15    - https://github.com/SigmaHQ/sigma/issues/3742
16    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
17author: frack113, Florian Roth
18date: 2021-07-12
19modified: 2022-12-05
20tags:
21    - attack.defense-evasion
22    - attack.privilege-escalation
23    - attack.t1055.001
24    - attack.t1218.013
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection:
30        CommandLine|contains: ' /INJECTRUNNING '
31    filter:
32        ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
33    condition: selection and not filter
34falsepositives:
35    - Unknown
36level: high

References

• atomic-red-team/atomics/T1218/T1218.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• atomic-red-team/atomics/T1056.004/T1056.004.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

  
  Read More

• x.com

  
  Read More

• IBM QRadar EDR - Endpoint Detection and Response Solutions

  

  IBM QRadar EDR is SaaS for endpoint detection and response. It helps secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time.

  
  Read More

• x.com

  
  Read More

• Exemption on proc_creation_win_creation_mavinject_process_injection.yml · Issue #3742 · SigmaHQ/sigma

  

  mavinject process should be excluded from devices running App-V as it is normal behavior. From LOLBAS Project IOC: mavinject.exe should not run unless APP-v is in use on the workstation The logic c...

  
  Read More

• SentinelOne-ATTACK-Queries/Tactics/DefenseEvasion.md at 6a228d23eefe963ca81f2d52f94b815f61ef5ee0 · keyboardcrunch/SentinelOne-ATTACK-Queries

  

  MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity - keyboardcrunch/SentinelOne-ATTACK-Queries

  
  Read More

Related rules

• Renamed Mavinject.EXE Execution
• APT PRIVATELOG Image Load Pattern
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons