Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1207: Analytic 1207

Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.

EnterpriseAN1207AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic describes suspicious use of Windows mavinject.exe to inject a DLL or import descriptors into an already running process. For leaders, the practical issue is that a legitimate Microsoft-signed utility can be used to make malicious code run inside another process, which can complicate triage, ownership of activity, and containment decisions.

Executive priority

Prioritize validation where Windows endpoints support critical operations or privileged administration. The decision value is whether the organization can prove, during an incident or audit, that it can see legitimate utilities obtaining high-access process handles, unexpected module loads into target processes, and follow-on activity from the injected process. If that evidence is missing, incident responders may struggle to determine which process actually initiated malicious behavior.

Technical view

SOC and IR teams should validate visibility for mavinject.exe execution with /INJECTRUNNING or /HMODULE, process access patterns where mavinject obtains VM_WRITE or CREATE_THREAD rights to another process, module-load events in the target process, and any subsequent child process or network activity from that target. Because no official detection logic is supplied, teams should treat this as a detection engineering requirement rather than a ready-made rule. Scope is Windows only based on the supplied platform field.

Likely telemetry

  • Windows process creation events including command line arguments for mavinject.exe
  • Process access telemetry showing requested rights such as VM_WRITE and CREATE_THREAD against a target process
  • Image or module load telemetry from the target process after mavinject activity
  • Parent-child process relationships involving mavinject.exe and the target process
  • Network connection telemetry tied to the target process after injection

Detection direction

  • Validate alerts or hunts for mavinject.exe launched with /INJECTRUNNING or /HMODULE.
  • Correlate mavinject execution with high-access handles to another running process and subsequent module loads in that target process.
  • Review follow-on child activity or network egress from the target process, not just from mavinject.exe, because injected code may execute under the target process context.
  • Tune carefully for legitimate administrative or diagnostic use of mavinject.exe where present; require correlation with unusual target processes, unexpected DLL paths, or follow-on behavior to reduce noise.
  • Document visibility gaps explicitly, especially if process access or module-load telemetry is not collected.

Mitigation priorities

  • Inventory and baseline legitimate use of mavinject.exe on Windows systems before enforcing restrictive controls.
  • Ensure endpoint logging or EDR collection captures process creation, command line, process access, module load, and network activity needed for correlation.
  • Apply application control or allowlisting policy where appropriate to limit unauthorized use of legitimate utilities, while accounting for operational dependencies.
  • Strengthen incident response playbooks to investigate the target process context, loaded modules, and follow-on behavior rather than terminating analysis at mavinject.exe.
  • Use the analytic as compliance and readiness evidence only after validating that required telemetry is collected and reviewed.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows behavior involving mavinject.exe abuse. It includes a behavior chain but no official detection text, no tactics, and no relationship context. Defensive value depends heavily on local telemetry quality and the ability to correlate multiple event classes.

This take is limited to the supplied official fields. It does not assert active exploitation, actor attribution, impact, or guaranteed detection. No non-Windows platforms, related techniques, mitigations, or specific detection rules are inferred because they were not supplied.

Official MITRE ATT&CK definition

Analytic 1207

Abuse of mavinject.exe to inject DLLs or import descriptors into another running process. Chain: (1) mavinject.exe starts with /INJECTRUNNING or /HMODULE → (2) mavinject obtains high-access handles to a target process (VM_WRITE/CREATE_THREAD) → (3) target process loads attacker DLL (module load) → (4) optional follow-on child activity or network egress from the target process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dd8b977d96ca7e0a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dd8b977d96ca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1207
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use