Detect Mavinject in Sumo Logic CSE
Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). Adversaries abuse it to inject malicious DLLs into running processes (DLL injection) using the /INJECTRUNNING flag. Since mavinject.exe is a signed Microsoft binary, it can bypass application control. TONESHELL malware has been observed using mavinject.exe for process injection.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.013 Mavinject
- Canonical reference
- https://attack.mitre.org/techniques/T1218/013/
Sumo Detection Query
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json field=_raw "EventID" as event_id nodrop
| where event_id = "1" or event_id = "4688"
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "Image" as image nodrop
| json field=_raw "ParentImage" as parent_image nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Computer" as computer nodrop
| where image matches "*\\mavinject.exe" or command_line matches "*mavinject*"
| eval inject_running = if(command_line matches "(?i).*\/INJECTRUNNING.*", 1, 0)
| eval suspicious_path = if(command_line matches "(?i).*(Temp|AppData|Downloads|Public|Desktop).*", 1, 0)
| eval suspicious_parent = if(parent_image matches "(?i).*(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe", 1, 0)
| eval risk_score = inject_running + suspicious_path + suspicious_parent
| where risk_score > 0
| fields _messagetime, computer, user, command_line, parent_image, inject_running, suspicious_path, suspicious_parent, risk_score
| sort by _messagetime descSumo Logic CSE query detecting mavinject.exe abuse for DLL injection. Parses Sysmon Event ID 1 or Windows Security Event ID 4688 process creation events, scoring risk based on /INJECTRUNNING flag usage, suspicious DLL paths, and high-risk parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Authorized Microsoft App-V deployments where IT administrators use mavinject.exe for legitimate application virtualization injection tasks
- Endpoint security products or EDR agents that invoke mavinject.exe during process instrumentation or behavioral monitoring activities
- Developer workstations where mavinject.exe is invoked via PowerShell or cmd.exe during application compatibility testing and debugging workflows
Other platforms for T1218.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mavinject DLL Injection into Running Process
Expected signal: Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and a PID in command line. Sysmon Event ID 8 (CreateRemoteThread) from notepad.exe. Sysmon Event ID 7 (Image Load) on notepad.exe for the injected DLL. Security Event ID 4688.
- Test 2Mavinject from PowerShell Parent
Expected signal: Sysmon Event ID 1: powershell.exe then mavinject.exe with ParentImage=powershell.exe and /INJECTRUNNING in command line. SuspiciousParent and InjectRunning both fire.
- Test 3Mavinject with DLL from Temp Directory
Expected signal: Sysmon Event ID 11: DLL written to Temp. Sysmon Event ID 1: mavinject.exe with /INJECTRUNNING and Temp path. The injection will fail (PID 4 is SYSTEM) but the process creation and file creation events fire.
References (4)
- https://attack.mitre.org/techniques/T1218/013/
- https://lolbas-project.github.io/lolbas/Binaries/Mavinject/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.013/T1218.013.md
- https://www.trendmicro.com/en_us/research/25/b/earth-preta-campaign-uses-ppam-files-and-encrypted-payloads-to-evade-detection.html
Unlock Pro Content
Get the full detection package for T1218.013 including response playbook, investigation guide, and atomic red team tests.