Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1218.013: Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).[1]

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).[2][3] Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.[4]

EnterpriseT1218.013Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Mavinject is a Windows signed utility associated with Microsoft App-V that can be abused to run attacker-controlled DLL code inside another process. The business issue is not that mavinject.exe is inherently malicious; it is that trusted Windows binaries can blur the line between normal administration and stealthy execution. Leaders should treat this as a test of whether endpoint controls, SOC workflows, and application-control policy can distinguish legitimate App-V activity from suspicious code injection.

Executive priority

Prioritize this where Windows endpoints or servers allow broad execution of native signed binaries without context-aware monitoring. This technique is relevant to resilience and audit readiness because it can undermine simple allowlisting based only on Microsoft signatures. Risk owners should ask whether App-V/mavinject is actually required, whether unauthorized DLL execution is prevented, and whether incident responders can quickly prove which process injected what DLL into which target process.

Technical view

For SOC and IR teams, validate coverage on Windows for mavinject.exe process starts, command-line arguments associated with DLL or import descriptor injection such as /INJECTRUNNING and /HMODULE, the target process identifier, and the referenced DLL path. Because this is a sub-technique of System Binary Proxy Execution and relates to Dynamic-link Library Injection behavior, detections should not rely only on the binary being unsigned or unknown. The supplied relationship indicates detection strategy DET0433 is relevant, and mitigations M1038 Execution Prevention and M1042 Disable or Remove Feature or Program should guide control validation.

Likely telemetry

  • Windows process creation events including full command line, parent process, user, image path, and hash/signature metadata for mavinject.exe
  • DLL/module load telemetry showing the injected or referenced DLL path and loading process
  • EDR telemetry for cross-process activity, process injection, handle access, or code execution in another process where available
  • Application control or execution prevention logs showing allowed or blocked mavinject.exe and DLL execution
  • Asset/software inventory indicating whether Microsoft App-V and mavinject.exe are expected on the host

Detection direction

  • Baseline legitimate App-V or administrative use before treating all mavinject.exe execution as malicious; false positives are possible in environments that use App-V.
  • Alert on mavinject.exe with injection-related parameters, unusual parent processes, non-standard DLL paths, user-writable locations, or execution on systems where App-V is not expected.
  • Do not suppress events solely because mavinject.exe is Microsoft-signed; the ATT&CK behavior specifically relies on trusted binary proxy execution.
  • Correlate process creation with DLL load and target process telemetry to reduce noise and improve incident confidence.
  • Use the mapped detection strategy DET0433 as a validation reference, but confirm that local logging actually captures command line and module/injection evidence.

Mitigation priorities

  • First determine whether App-V/mavinject.exe is required; if not, reduce attack surface by disabling or removing unnecessary features consistent with M1042.
  • Where the utility is required, enforce execution prevention and application control consistent with M1038 so only authorized code and approved DLL locations are allowed.
  • Harden policy beyond publisher trust alone; signed Microsoft binary execution should still be constrained by path, role, use case, and command context where possible.
  • Maintain evidence for compliance and readiness reviews: approved use cases, application-control policy, exceptions, and alert/response procedures for mavinject.exe abuse.
Analyst notes and limits

ATT&CK also maps TONESHELL software to use of this technique, which can help threat intelligence teams enrich analytic hypotheses. That relationship should not be interpreted as proof of current activity in any specific environment. The practical value is to validate whether signed-binary proxy execution and DLL injection are observable and controllable on Windows assets.

The official ATT&CK object does not provide a detection section, so detection guidance here is derived from the official description and supplied relationships, especially DET0433, M1038, M1042, and the parent technique T1218. Local App-V usage, endpoint logging depth, and application-control design are required to assess actual exposure or coverage.

Official MITRE ATT&CK definition

Mavinject

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).[1]

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. Dynamic-link Library Injection), allowing for arbitrary code execution (ex. C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).[2][3] Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to Dynamic-link Library Injection, Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1218 System Binary Proxy Execution This object subtechnique of System Binary Proxy Execution.
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1218: System Binary Proxy Execution Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise uses · Malware S1239: TONESHELL Enterprise detects · Detection Strategy DET0433: Detecting Code Injection via mavinject.exe (App-V Injector) Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
0803a729a6c89662...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 0803a729a6c8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    LOLBAS Mavinject

    LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.

    Open source URL
  2. [2]
    ATT Lazarus TTP Evolution

    Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.

    Open source URL
  3. [3]
    Reaqta Mavinject

    Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.

    Open source URL
  4. [4]
    Mavinject Functionality Deconstructed

    Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.

    Open source URL
  5. [5]
    mitre-attack T1218.013
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use