| CISA

Block or Monitor Mavinject.exe Utility (CM0008)

In Playbook

Details

ID: CM0008
Version: 1.0
Created: 14 March 2025
Modified: 14 March 2025
Type: Disable, Examine
Status: Active

Intended Outcome

Blocking or monitoring execution of the Mavinject.exe utility (Microsoft Application Virtualization Injector) blocks or detects adversary defense evasion using proxy execution of code.

Introduction

Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of the Microsoft Application Virtualization (App-V) client for virtualization. While Mavinject.exe can be used by other legitimate programs, it is primarily used by App-V. If App-V capabilities are not required, it may be safer to remove the Mavinject.exe program and implement defenses to prevent its future installation and execution.

Preparation

Identify a baseline of behavior for Mavinject.exe.
Determine necessity of permitting Mavinject.exe in environment.

Risks

This countermeasure can break legitimate functionality. However, this risk is only likely if App-V is in use in the enterprise.

Guidance

Monitor

Configure the host-based agent to monitor for:

Process execution
Command-line parameter inspection
Process lineage monitoring

To gain insight into attempts at binary masquerading, consider collecting process metadata. Adversaries have been observed renaming binaries to evade brittle detections.

Collect data on module loads and monitor DLLs.
Analytics can be written to monitor for API calls indicative of process injection. Take care to tune the analytic to reduce false positives.
Implement network monitoring to detect anomalous network connections and support the ability to correlate connections to processes.

Block

Explore the feasibility of removing the Mavinject.exe binary.
Scanning for filenames and hashes associated with Mavinject.exe and auditing command line/PowerShell logs can be useful for detecting Mavinject.exe.
EDR rules can be used to detect and prevent the execution of Mavinject.exe where contextually relevant.
Mavinject.exe execution can be blocked by leveraging commercial or opensource tools that are designed to block programs from executing (e.g., Windows Defender Application Blocking, CrowdStrike).

References

mavinject.exe Functionality Deconstructed | https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
The Curious Case Of Mavinject.Exe | https://fourcore.io/blogs/mavinject-curious-process-injection