title: Mavinject (T1218.013)
id: df00tech-t1218-013
status: experimental
description: "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). Adversaries abuse it to inject malicious DLLs into running processes (DLL injection) using the /INJECTRUNNING flag. Since mavinject.exe is a signed Microsoft binary, it can bypass application control. TONESHELL malware has been observed using mavinject.exe for process injection."
references:
  - https://attack.mitre.org/techniques/T1218/013/
  - https://df00tech.com/detections/T1218.013
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.013
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Microsoft Application Virtualization (App-V) environments where mavinject.exe is used legitimately for virtualized application management
  - App-V client infrastructure invoking mavinject.exe as part of normal application publishing and streaming workflows
  - Enterprise App-V deployments where IT administrators use mavinject.exe for application compatibility management
  - Microsoft App-V testing and development environments
level: high