Renamed Mavinject.EXE Execution

 1title: Renamed Mavinject.EXE Execution
 2id: e6474a1b-5390-49cd-ab41-8d88655f7394
 3status: test
 4description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
 8    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
 9    - https://twitter.com/gN3mes1s/status/941315826107510784
10    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
11    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
12    - https://github.com/SigmaHQ/sigma/issues/3742
13    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
14author: frack113, Florian Roth
15date: 2022/12/05
16modified: 2023/02/03
17tags:
18    - attack.defense_evasion
19    - attack.privilege_escalation
20    - attack.t1055.001
21    - attack.t1218.013
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection:
27        OriginalFileName:
28            - 'mavinject32.exe'
29            - 'mavinject64.exe'
30    filter:
31        Image|endswith:
32            - '\mavinject32.exe'
33            - '\mavinject64.exe'
34    condition: selection and not filter
35falsepositives:
36    - Unlikely
37level: high

References

• atomic-red-team/atomics/T1218/T1218.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• atomic-red-team/atomics/T1056.004/T1056.004.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• mavinject.exe Functionality Deconstructed

  Attackers have been abusing mavinject.exe for some time to perform DLL injection. I first heard about mavinject from this tweet (and here)…

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• IBM Security QRadar EDR - Endpoint Detection and Response Solutions

  

  IBM Security QRadar EDR is SaaS for endpoint detection and response. It helps secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Exemption on proc_creation_win_creation_mavinject_process_injection.yml · Issue #3742 · SigmaHQ/sigma

  

  mavinject process should be excluded from devices running App-V as it is normal behavior. From LOLBAS Project IOC: mavinject.exe should not run unless APP-v is in use on the workstation The logic c...

  
  Read More

• SentinelOne-ATTACK-Queries/Tactics/DefenseEvasion.md at 6a228d23eefe963ca81f2d52f94b815f61ef5ee0 · keyboardcrunch/SentinelOne-ATTACK-Queries

  

  MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity - keyboardcrunch/SentinelOne-ATTACK-Queries

  
  Read More

Related rules

• Mavinject Inject DLL Into Running Process
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures
• Huawei BGP Authentication Failures
• Juniper BGP Missing MD5