Full Report
1. Overview Mavinject.exe is a legitimate utility provided by Microsoft. It is used to inject DLLs into specific processes in an Application Virtualization (App-V) environment. It has been included in the operating system by default since Windows 10 version 1607, and it is a trusted executable file signed by Microsoft. As a result, most security […]
Analysis Summary
# Tool/Technique: Mavinject.exe
## Overview
Mavinject.exe is a legitimate Microsoft utility designed to inject Dynamic Link Libraries (DLLs) into specific processes within an Application Virtualization (App-V) environment. Threat actors abuse this signed, whitelisted executable to perform process injection, facilitating code execution and evasion of security solutions by hiding malicious activity within a trusted process.
## Technical Details
- Type: Tool (Abused Legitimate Utility)
- Platform: Windows (Requires App-V feature, present in Windows 10 version 1607 and later)
- Capabilities: DLL Injection into running processes, execution of remote code via loaded modules.
- First Seen: Included by default since Windows 10 version 1607.
## MITRE ATT&CK Mapping
- T1218 - Signed Binary Proxy Execution
- T1218.013 - Signed Binary Proxy Execution: Mavinject
## Functionality
### Core Capabilities
- **DLL Injection (`/INJECTRUNNING`):** Injects a specified malicious DLL into a running process identified by its Process ID (PID). This involves using key Windows APIs: `OpenProcess`, `VirtualAllocEx`, `WriteProcessMemory`, and `CreateRemoteThread` (which calls `LoadLibraryW`).
- **DLL Import Table Injection (`/HMODULE`):** Manipulates the target executable's Import Address Table to directly call a function within an external DLL by specifying the target PID, module base address, DLL name, and function ordinal index.
- **Evasion:** Exploits the trust associated with a Microsoft-signed executable to bypass security product whitelisting and evade behavior-based detection by attributing malicious actions to a legitimate process (like `notepad.exe` or `explorer.exe`).
- **ADS Support:** Can target DLLs located in NTFS Alternate Data Streams (ADS) to bypass conventional file detection mechanisms.
### Advanced Features
- **Process Hiding:** When a malicious DLL is injected (e.g., into `notepad.exe`), subsequent malicious actions (like C2 communication or malware download) appear to originate from the legitimate host process, complicating analysis of the process tree.
- **Precise Control:** The `/HMODULE` method offers more granular control over which function within the injected DLL is executed.
## Indicators of Compromise
- File Hashes: N/A (Relies on the legitimate system file)
- File Names: `mavinject.exe`
- Registry Keys: N/A
- Network Indicators: N/A (Behavior is host-based injection, network activity depends on the injected payload)
- Behavioral Indicators:
- Execution of `mavinject.exe` from the command line with arguments like `/INJECTRUNNING` or `/HMODULE`.
- Sequences of Windows API calls in a monitored process: `OpenProcess`, `VirtualAllocEx`, `WriteProcessMemory`, and `CreateRemoteThread`.
- Suspicious `LoadLibraryW` calls traced back to a `mavinject.exe` thread.
## Associated Threat Actors
- Earth Preta (Mustang Panda)
- Lazarus Group
## Detection Methods
- **Command Line Monitoring:** Detect execution of `mavinject.exe` when arguments `/INJECTRUNNING` or `/HMODULE` are present.
- **API Call Monitoring (Sysmon/EDR):** Monitor for the specific sequence of process manipulation APIs (`OpenProcess`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateRemoteThread`) originating from `mavinject.exe`.
- **Tracing:** Trace the `LoadLibraryW` call path to identify anomalies where it appears to be initiated by a process other than standard Windows loading procedures.
## Mitigation Strategies
- **Policy Enforcement:** Apply policies to block the execution of `mavinject.exe` entirely in environments where the App-V feature is confirmed to be unused.
- **Injection Defense:** Establish robust rules to detect inter-process DLL injection attempts regardless of the injector used.
- **Process Auditing:** Regularly audit the DLL loading history of critical, high-trust processes (like `explorer.exe`) for abnormal loads.
- **App-V Monitoring:** Monitor the activation status of App-V, as some security tools may leverage this information for detection logic.
## Related Tools/Techniques
- General DLL Injection techniques.
- Abuse of other legitimate, signed binaries for proxy execution (e.g., `InstallUtil.exe`, `RegSvcs.exe`).