Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Process Injection Dynamic-link Library Injection Privilege Escalation, Defense Evasion Low

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create exe
process create command_line

Implementations

Pseudocode - mavinject process and its common argument (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
mavinject_processes = filter processes where (
  exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
output mavinject_processes

Splunk Search - mavinject (Splunk, Sysmon native)

Search for instances of mavinject.exe or mavinject32.exe

(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")

LogPoint Search - mavinject (Logpoint, LogPoint native)

Search for instances of mavinject.exe or mavinject32.exe

norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")