Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Process Injection||Dynamic-link Library Injection||Privilege Escalation, Defense Evasion||Low|
Data Model References
Pseudocode - mavinject process and its common argument (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create mavinject_processes = filter processes where ( exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" output mavinject_processes
Splunk Search - mavinject (Splunk, Sysmon native)
Search for instances of mavinject.exe or mavinject32.exe
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")