Process

unknown

mavinject.exe

mavinject.exe is the Microsoft Application Virtualization (App-V) injector, a helper that injects a DLL into a running process for App-V. Outside App-V it is rarely seen. Attackers use it as a signed, ready-made way to inject a DLL into another process.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS2
  • MavInject.exe 3110 /INJECTRUNNING {PATH_ABSOLUTE:.dll}Execute · Inject dll file into running process
  • Mavinject.exe 4172 /INJECTRUNNING {PATH_ABSOLUTE}:file.dllADS · Inject dll file into running process

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

mavinject.exe is part of the App-V client. Its supported job is to load a DLL into a target process as part of virtualizing an application. The capability is general, though: given a process ID and a DLL path, it injects that DLL into that process. The genuine binary lives at C:\Windows\System32\mavinject.exe, with a 32-bit copy under SysWOW64.

Legitimately, mavinject is invoked by the App-V infrastructure on systems that run virtualized applications. On a machine without App-V it has essentially no reason to run, so its mere presence in the process tree is worth noting.

Security notes

mavinject.exe is a signed, off-the-shelf DLL injector (T1218.013, T1055.001). With mavinject <pid> /INJECTRUNNING <dll> an attacker loads their DLL into a chosen process under a trusted Microsoft binary, achieving process injection without writing their own injector and while bypassing application-control rules that allow the tool. Injecting into a legitimate process also lets the code run under that process's identity.

Because mavinject only belongs on App-V systems, it is high-signal almost by default. A mavinject command line that names a target PID and a DLL, especially a DLL in a user-writable directory, is a direct indicator of injection.

Anomaly signals4
  • Running on a host that does not use App-Vhigh
  • A command line pairing a process ID with a DLL path (especially /INJECTRUNNING)high
  • A DLL from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof mavinject.exe?
Edit this page on GitHub