Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Correlation interval (e.g., 5–10 minutes) linking mavinject start → ProcessAccess → module load/network from the target process. |
| DLLPathRegex | Patterns for suspicious DLL locations (e.g., %TEMP%, Downloads, UNC shares) to reduce noise from legitimate injections. |
| TargetProcessAllowList | Common legitimate targets for App-V (if used) to suppress; flag unusual targets like browsers, LSASS, Winlogon, EDR processes. |
| MinGrantedAccessSet | Set of access rights that imply injection (VM_WRITE, VM_OPERATION, CREATE_THREAD). Tune for your EDR/sysmon formatting. |
| ParentProcessFilter | Legitimate parents starting mavinject (e.g., App-V services) vs. suspicious parents (Office, script hosts, browsers). |
| ExternalIPAllowlist | Known enterprise update/CDN ranges to exclude when correlating post-injection network activity. |
| SignedToUnsignedTransition | Alerting when Microsoft-signed mavinject leads to loading unsigned DLLs in a target process. |