T1218.013 Google Chronicle · YARA-L

Detect Mavinject in Google Chronicle

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). Adversaries abuse it to inject malicious DLLs into running processes (DLL injection) using the /INJECTRUNNING flag. Since mavinject.exe is a signed Microsoft binary, it can bypass application control. TONESHELL malware has been observed using mavinject.exe for process injection.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.013 Mavinject
Canonical reference
https://attack.mitre.org/techniques/T1218/013/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1218_013_mavinject_injection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of mavinject.exe (Microsoft Application Virtualization Injector) for DLL injection via /INJECTRUNNING flag. Covers T1218.013 signed binary proxy execution."
    mitre_attack = "T1218.013"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i).*\\mavinject\.exe$/
    (
      $e.target.process.command_line = /(?i).*\/INJECTRUNNING.*/
      or $e.target.process.command_line = /(?i).*(Temp|AppData|Downloads|Public|Desktop).*/
      or $e.principal.process.file.full_path = /(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /(?i).*\/INJECTRUNNING.*/, 40, 0) +
      if($e.target.process.command_line = /(?i).*(Temp|AppData|Downloads|Public|Desktop).*/, 30, 0) +
      if($e.principal.process.file.full_path = /(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/, 30, 0)
    )
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score > 0
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule detecting mavinject.exe invocation with /INJECTRUNNING flag or suspicious DLL paths or invocation from script interpreters. Computes a composite risk score across three indicators mapped to T1218.013.

Data Sources

Windows Endpoint Telemetry via Chronicle ForwarderSysmon logs ingested into Chronicle UDMMicrosoft Defender for Endpoint events via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • Microsoft App-V infrastructure in enterprise environments where mavinject.exe is used legitimately to inject virtualized application components
  • Automated DevOps pipelines that invoke mavinject.exe from PowerShell or cmd.exe scripts during application packaging or compatibility testing
  • Security orchestration tooling that launches mavinject.exe in sandboxed environments for malware analysis or detonation purposes
Download portable Sigma rule (.yml)

Other platforms for T1218.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mavinject DLL Injection into Running Process

    Expected signal: Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and a PID in command line. Sysmon Event ID 8 (CreateRemoteThread) from notepad.exe. Sysmon Event ID 7 (Image Load) on notepad.exe for the injected DLL. Security Event ID 4688.

  2. Test 2Mavinject from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then mavinject.exe with ParentImage=powershell.exe and /INJECTRUNNING in command line. SuspiciousParent and InjectRunning both fire.

  3. Test 3Mavinject with DLL from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and Temp path. The injection will fail (PID 4 is SYSTEM) but the process creation and file creation events fire.

Last updated: 2026-04-13 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1218.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1055.001Dynamic-link Library InjectionT1055Process InjectionT1059.001PowerShellT1027.009Embedded Payloads

Same Tactic: Defense Evasion

Popular Detections