T1218.013 IBM QRadar · QRadar

Detect Mavinject in IBM QRadar

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). Adversaries abuse it to inject malicious DLLs into running processes (DLL injection) using the /INJECTRUNNING flag. Since mavinject.exe is a signed Microsoft binary, it can bypass application control. TONESHELL malware has been observed using mavinject.exe for process injection.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.013 Mavinject
Canonical reference
https://attack.mitre.org/techniques/T1218/013/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command" AS command_line,
  "Parent Process Name",
  CASE WHEN LOWER("Command") LIKE '%/injectrunning%' THEN 1 ELSE 0 END AS inject_running,
  CASE WHEN LOWER("Command") LIKE '%temp%'
            OR LOWER("Command") LIKE '%appdata%'
            OR LOWER("Command") LIKE '%downloads%'
            OR LOWER("Command") LIKE '%public%'
            OR LOWER("Command") LIKE '%desktop%' THEN 1 ELSE 0 END AS suspicious_path,
  CASE WHEN LOWER("Parent Process Name") LIKE '%cmd.exe%'
            OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
            OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
            OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
            OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
            OR LOWER("Parent Process Name") LIKE '%winword.exe%'
            OR LOWER("Parent Process Name") LIKE '%excel.exe%' THEN 1 ELSE 0 END AS suspicious_parent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("Process Name") LIKE '%mavinject.exe'
    OR LOWER("Command") LIKE '%mavinject.exe%'
  )
  AND (
    LOWER("Command") LIKE '%/injectrunning%'
    OR LOWER("Parent Process Name") LIKE '%cmd.exe%'
    OR LOWER("Parent Process Name") LIKE '%powershell.exe%'
    OR LOWER("Parent Process Name") LIKE '%wscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%cscript.exe%'
    OR LOWER("Parent Process Name") LIKE '%mshta.exe%'
    OR LOWER("Parent Process Name") LIKE '%winword.exe%'
    OR LOWER("Parent Process Name") LIKE '%excel.exe%'
    OR LOWER("Command") LIKE '%temp%'
    OR LOWER("Command") LIKE '%appdata%'
    OR LOWER("Command") LIKE '%downloads%'
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
high severity high confidence

QRadar AQL query detecting mavinject.exe process execution with /INJECTRUNNING flag, suspicious DLL paths in temp/user-writable locations, or invocation from script interpreters and Office applications. Maps to T1218.013 signed binary proxy execution.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon (QRadar DSM)Windows Endpoint Log Source

Required Tables

events

False Positives & Tuning

  • Legitimate Microsoft App-V infrastructure where mavinject.exe is used as part of sanctioned application virtualization workflows on managed endpoints
  • Enterprise software distribution systems that invoke mavinject.exe during package installation or compatibility testing phases
  • Security testing or red team exercises on endpoints where mavinject.exe is intentionally invoked for authorized penetration testing
Download portable Sigma rule (.yml)

Other platforms for T1218.013

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mavinject DLL Injection into Running Process

    Expected signal: Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and a PID in command line. Sysmon Event ID 8 (CreateRemoteThread) from notepad.exe. Sysmon Event ID 7 (Image Load) on notepad.exe for the injected DLL. Security Event ID 4688.

  2. Test 2Mavinject from PowerShell Parent

    Expected signal: Sysmon Event ID 1: powershell.exe then mavinject.exe with ParentImage=powershell.exe and /INJECTRUNNING in command line. SuspiciousParent and InjectRunning both fire.

  3. Test 3Mavinject with DLL from Temp Directory

    Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and Temp path. The injection will fail (PID 4 is SYSTEM) but the process creation and file creation events fire.

Last updated: 2026-04-13 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1218.013 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1055.001Dynamic-link Library InjectionT1055Process InjectionT1059.001PowerShellT1027.009Embedded Payloads

Same Tactic: Defense Evasion

Popular Detections