{
	"id": "d195f81d-0167-495e-908a-766a86c8196f",
	"created_at": "2026-04-06T00:16:29.797826Z",
	"updated_at": "2026-04-10T03:22:13.377402Z",
	"deleted_at": null,
	"sha1_hash": "94d472708102afb0f48e5bd805b8ede387e6fc2e",
	"title": "Mavinject on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46677,
	"plain_text": "Mavinject on LOLBAS\r\nArchived: 2026-04-02 12:40:53 UTC\r\nUsed by App-v in Windows\r\nPaths:\r\nC:\\Windows\\System32\\mavinject.exe\r\nC:\\Windows\\SysWOW64\\mavinject.exe\r\nResources:\r\nhttps://twitter.com/gN3mes1s/status/941315826107510784\r\nhttps://twitter.com/Hexcorn/status/776122138063409152\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nAcknowledgements:\r\nGiuseppe N3mes1s (@gN3mes1s)\r\nOddvar Moe (@oddvarmoe)\r\nDetections:\r\nSigma: proc_creation_win_lolbin_mavinject_process_injection.yml\r\nIOC: mavinject.exe should not run unless APP-v is in use on the workstation\r\nExecute\r\n1. Inject evil.dll into a process with PID 3110.\r\nMavInject.exe 3110 /INJECTRUNNING C:\\Windows\\Temp\\file.dll\r\nUse case\r\nInject dll file into running process\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.013: Mavinject\r\nTags\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mavinject/\r\nPage 1 of 2\n\nExecute: DLL\r\nAlternate data streams\r\n1. Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172\r\nMavinject.exe 4172 /INJECTRUNNING C:\\Windows\\Temp\\file.ext:file.dll\r\nUse case\r\nInject dll file into running process\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1564.004: NTFS File Attributes\r\nTags\r\nExecute: DLL\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Mavinject/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mavinject/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Mavinject/"
	],
	"report_names": [
		"Mavinject"
	],
	"threat_actors": [],
	"ts_created_at": 1775434589,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94d472708102afb0f48e5bd805b8ede387e6fc2e.pdf",
		"text": "https://archive.orkl.eu/94d472708102afb0f48e5bd805b8ede387e6fc2e.txt",
		"img": "https://archive.orkl.eu/94d472708102afb0f48e5bd805b8ede387e6fc2e.jpg"
	}
}