.. /Mavinject.exe
Star

Alternate data streams (DLL)

Used by App-v in Windows

Paths:

C:\Windows\System32\mavinject.exe
C:\Windows\SysWOW64\mavinject.exe

Resources:

Acknowledgements:

Giuseppe N3mes1s (@gN3mes1s)
Oddvar Moe (@oddvarmoe)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml
IOC: mavinject.exe should not run unless APP-v is in use on the workstation

Execute

Inject evil.dll into a process with PID 3110.
```
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
```
Use case
Inject dll file into running process

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.013

Tags
Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).

Alternate data streams

Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
```
Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
```
Use case
Inject dll file into running process

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1564.004

Tags
Execute: DLL
This LOLBAS executes Dynamic-Link Libraries (DLLs).