Renamed Mavinject.EXE Execution

 1title: Renamed Mavinject.EXE Execution
 2id: e6474a1b-5390-49cd-ab41-8d88655f7394
 3status: test
 4description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
 8    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
 9    - https://twitter.com/gN3mes1s/status/941315826107510784
10    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
11    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
12    - https://github.com/SigmaHQ/sigma/issues/3742
13    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
14author: frack113, Florian Roth
15date: 2022-12-05
16modified: 2023-02-03
17tags:
18    - attack.defense-evasion
19    - attack.privilege-escalation
20    - attack.t1055.001
21    - attack.t1218.013
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        OriginalFileName:
28            - 'mavinject32.exe'
29            - 'mavinject64.exe'
30    filter:
31        Image|endswith:
32            - '\mavinject32.exe'
33            - '\mavinject64.exe'
34    condition: selection and not filter
35falsepositives:
36    - Unlikely
37level: high

References

• atomic-red-team/atomics/T1218/T1218.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• atomic-red-team/atomics/T1056.004/T1056.004.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

  
  Read More

• x.com

  
  Read More

• IBM QRadar EDR - Endpoint Detection and Response Solutions

  

  IBM QRadar EDR is SaaS for endpoint detection and response. It helps secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time.

  
  Read More

• x.com

  
  Read More

• Exemption on proc_creation_win_creation_mavinject_process_injection.yml · Issue #3742 · SigmaHQ/sigma

  

  mavinject process should be excluded from devices running App-V as it is normal behavior. From LOLBAS Project IOC: mavinject.exe should not run unless APP-v is in use on the workstation The logic c...

  
  Read More

• SentinelOne-ATTACK-Queries/Tactics/DefenseEvasion.md at 6a228d23eefe963ca81f2d52f94b815f61ef5ee0 · keyboardcrunch/SentinelOne-ATTACK-Queries

  

  MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity - keyboardcrunch/SentinelOne-ATTACK-Queries

  
  Read More

Related rules

• Mavinject Inject DLL Into Running Process
• APT PRIVATELOG Image Load Pattern
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons