T1218.013 Mavinject Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "mavinject.exe"
| extend InjectRunning = ProcessCommandLine has "/INJECTRUNNING"
| extend TargetPID = ProcessCommandLine matches regex @"/INJECTRUNNING \d+"
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "Desktop")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, InjectRunning, SuspiciousPath, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Microsoft Application Virtualization (App-V) environments where mavinject.exe is used legitimately for virtualized application management
App-V client infrastructure invoking mavinject.exe as part of normal application publishing and streaming workflows
Enterprise App-V deployments where IT administrators use mavinject.exe for application compatibility management
Microsoft App-V testing and development environments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\mavinject.exe"
| eval InjectRunning=if(match(CommandLine, "/INJECTRUNNING"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|Desktop)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe"), 1, 0)
| eval RiskScore=InjectRunning + SuspiciousPath + SuspiciousParent
| where RiskScore > 0
| table _time, host, User, CommandLine, ParentImage, ParentCommandLine, InjectRunning, SuspiciousPath, SuspiciousParent, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Microsoft Application Virtualization (App-V) environments using mavinject.exe for virtualized application management
App-V client infrastructure invoking mavinject.exe as part of application publishing workflows
Enterprise App-V deployments for application compatibility management

Elastic Security (EQL)

eql

process where event.type == "start" and process.name : "mavinject.exe" and (
  process.args : "/INJECTRUNNING" or
  process.args : "/INJECTRUNNING*" or
  process.command_line : "*mavinject*"
)
| eval inject_running = if(process.args like "/INJECTRUNNING*", 1, 0)
| eval suspicious_path = if(process.command_line like "*Temp*" or process.command_line like "*AppData*" or process.command_line like "*Downloads*" or process.command_line like "*Public*" or process.command_line like "*Desktop*", 1, 0)
| eval suspicious_parent = if(process.parent.name in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe"), 1, 0)

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Elastic Agent Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Legitimate Microsoft App-V deployments where administrators use mavinject.exe to inject approved virtualization components into running processes
Automated software testing pipelines that use mavinject.exe to instrument processes for coverage or debugging purposes
Application compatibility tooling in enterprise environments that invokes mavinject.exe as part of sanctioned compatibility shims

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command" AS command_line,
  "Parent Process Name",
  CASE WHEN LOWER("Command") LIKE '%/injectrunning%' THEN 1 ELSE 0 END AS inject_running,
  CASE WHEN LOWER("Command") LIKE '%temp%'
            OR LOWER("Command") LIKE '%appdata%'
            OR LOWER("Command") LIKE '%downloads%'
            OR LOWER("Command") LIKE '%public%'
            OR LOWER("Command") LIKE '%desktop%' THEN 1 ELSE 0 END AS suspicious_path,
  CASE WHEN LOWER("Parent Process Name") LIKE '%cmd.exe%'
            OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
            OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
            OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
            OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
            OR LOWER("Parent Process Name") LIKE '%winword.exe%'
            OR LOWER("Parent Process Name") LIKE '%excel.exe%' THEN 1 ELSE 0 END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("Process Name") LIKE '%mavinject.exe'
    OR LOWER("Command") LIKE '%mavinject.exe%'
  )
  AND (
    LOWER("Command") LIKE '%/injectrunning%'
    OR LOWER("Parent Process Name") LIKE '%cmd.exe%'
    OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
    OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
    OR LOWER("Parent Process Name") LIKE '%winword.exe%'
    OR LOWER("Parent Process Name") LIKE '%excel.exe%'
    OR LOWER("Command") LIKE '%temp%'
    OR LOWER("Command") LIKE '%appdata%'
    OR LOWER("Command") LIKE '%downloads%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon (QRadar DSM) Windows Endpoint Log Source

Required Tables

events

False Positives

Legitimate Microsoft App-V infrastructure where mavinject.exe is used as part of sanctioned application virtualization workflows on managed endpoints
Enterprise software distribution systems that invoke mavinject.exe during package installation or compatibility testing phases
Security testing or red team exercises on endpoints where mavinject.exe is intentionally invoked for authorized penetration testing

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json field=_raw "EventID" as event_id nodrop
| where event_id = "1" or event_id = "4688"
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Computer" as computer nodrop
| where image matches "*\\mavinject.exe" or command_line matches "*mavinject*"
| eval inject_running = if(command_line matches "(?i).*\/INJECTRUNNING.*", 1, 0)
| eval suspicious_path = if(command_line matches "(?i).*(Temp|AppData|Downloads|Public|Desktop).*", 1, 0)
| eval suspicious_parent = if(parent_image matches "(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe", 1, 0)
| eval risk_score = inject_running + suspicious_path + suspicious_parent
| where risk_score > 0
| fields _messagetime, computer, user, command_line, parent_image, inject_running, suspicious_path, suspicious_parent, risk_score
| sort by _messagetime desc

high severity high confidence

Data Sources

Sysmon Operational Log via Sumo Logic Windows Agent Windows Security Event Log via Sumo Logic Installed Collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Authorized Microsoft App-V deployments where IT administrators use mavinject.exe for legitimate application virtualization injection tasks
Endpoint security products or EDR agents that invoke mavinject.exe during process instrumentation or behavioral monitoring activities
Developer workstations where mavinject.exe is invoked via PowerShell or cmd.exe during application compatibility testing and debugging workflows

Google Chronicle / SecOps

yaral

rule t1218_013_mavinject_injection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of mavinject.exe (Microsoft Application Virtualization Injector) for DLL injection via /INJECTRUNNING flag. Covers T1218.013 signed binary proxy execution."
    mitre_attack = "T1218.013"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i).*\\mavinject\.exe$/
    (
      $e.target.process.command_line = /(?i).*\/INJECTRUNNING.*/
      or $e.target.process.command_line = /(?i).*(Temp|AppData|Downloads|Public|Desktop).*/
      or $e.principal.process.file.full_path = /(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /(?i).*\/INJECTRUNNING.*/, 40, 0) +
      if($e.target.process.command_line = /(?i).*(Temp|AppData|Downloads|Public|Desktop).*/, 30, 0) +
      if($e.principal.process.file.full_path = /(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/, 30, 0)
    )
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score > 0
}

high severity high confidence

Data Sources

Windows Endpoint Telemetry via Chronicle Forwarder Sysmon logs ingested into Chronicle UDM Microsoft Defender for Endpoint events via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Microsoft App-V infrastructure in enterprise environments where mavinject.exe is used legitimately to inject virtualized application components
Automated DevOps pipelines that invoke mavinject.exe from PowerShell or cmd.exe scripts during application packaging or compatibility testing
Security orchestration tooling that launches mavinject.exe in sandboxed environments for malware analysis or detonation purposes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i).*\\mavinject\.exe$/
| CommandLine = /.*/ // ensure field is present
| eval InjectRunning = if(match(CommandLine, /(?i)\/INJECTRUNNING/), 1, 0)
| eval SuspiciousPath = if(match(CommandLine, /(?i)(Temp|AppData|Downloads|Public|Desktop)/), 1, 0)
| eval SuspiciousParent = if(match(ParentBaseFileName, /(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe/), 1, 0)
| eval RiskScore = InjectRunning + SuspiciousPath + SuspiciousParent
| where RiskScore > 0
| table([@timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, InjectRunning, SuspiciousPath, SuspiciousParent, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Telemetry (ProcessRollup2) Falcon Insight XDR process events

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate Microsoft App-V usage in enterprise environments where mavinject.exe is invoked as part of approved application virtualization workflows managed by IT
Endpoint detection and response tooling or forensic agents that invoke mavinject.exe for authorized process instrumentation or monitoring on managed endpoints
Software deployment or packaging automation that calls mavinject.exe from cmd.exe or PowerShell during sanctioned application installation or compatibility testing

Mavinject

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections