Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App V).(Citation: LOLBAS Mavinject) Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic link Library Injection), allowing for arbitrary code execution (ex. <code C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH DLL</code ).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. In addition to Dynamic link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its <code /HMODULE</code command line parameter (ex. <code mavinject.exe PID /HMODULE=BASE ADDRESS PATH DLL ORDINAL NUMBER</code ). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)