1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. Mavinject

System Binary Proxy Execution: Mavinject

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).[1]

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).[2][3] Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.[4]

ID: T1218.013
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Version: 2.0
Created: 22 September 2021
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1239 TONESHELL

TONESHELL has injected its malicious payload into a running process through Windows utility Microsoft Application Virtualization Injector MAVInject.exe.[5]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider removing mavinject.exe if Microsoft App-V is not used within a given environment.
M1038 Execution Prevention

Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0433 Detecting Code Injection via mavinject.exe (App-V Injector) AN1207

Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.

References

  1. LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.
  2. Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.
  3. Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.
  1. Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.
  2. Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.