Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
38 lines
1.5 KiB
YAML
38 lines
1.5 KiB
YAML
title: Renamed Mavinject.EXE Execution
|
|
id: e6474a1b-5390-49cd-ab41-8d88655f7394
|
|
status: test
|
|
description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
|
|
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
|
|
- https://twitter.com/gN3mes1s/status/941315826107510784
|
|
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
|
|
- https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet
|
|
- https://github.com/SigmaHQ/sigma/issues/3742
|
|
- https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
|
|
author: frack113, Florian Roth
|
|
date: 2022-12-05
|
|
modified: 2023-02-03
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.privilege-escalation
|
|
- attack.t1055.001
|
|
- attack.t1218.013
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
OriginalFileName:
|
|
- 'mavinject32.exe'
|
|
- 'mavinject64.exe'
|
|
filter:
|
|
Image|endswith:
|
|
- '\mavinject32.exe'
|
|
- '\mavinject64.exe'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|