CAR-2020-11-003: DLL Injection with Mavinject
Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Process Injection | Dynamic-link Library Injection | Privilege Escalation, Defense Evasion | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
Pseudocode - mavinject process and its common argument (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
mavinject_processes = filter processes where (
exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
output mavinject_processes
Splunk Search - mavinject (Splunk, Sysmon native)
Search for instances of mavinject.exe or mavinject32.exe
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")
LogPoint Search - mavinject (Logpoint, LogPoint native)
Search for instances of mavinject.exe or mavinject32.exe
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")