Mavinject Inject DLL Into Running Process

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

Sigma rule (View on GitHub)

 1title: Mavinject Inject DLL Into Running Process
 2id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
 3related:
 4    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
 5      type: obsoletes
 6status: test
 7description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
11    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
12    - https://twitter.com/gN3mes1s/status/941315826107510784
13    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
14    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
15    - https://github.com/SigmaHQ/sigma/issues/3742
16    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
17author: frack113, Florian Roth
18date: 2021/07/12
19modified: 2022/12/05
20tags:
21    - attack.defense_evasion
22    - attack.privilege_escalation
23    - attack.t1055.001
24    - attack.t1218.013
25logsource:
26    category: process_creation
27    product: windows
28detection:
29    selection:
30        CommandLine|contains: ' /INJECTRUNNING '
31    filter:
32        ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
33    condition: selection and not filter
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top