-
Notifications
You must be signed in to change notification settings - Fork 358
/
Copy pathmavinject.exe.yml
50 lines (50 loc) · 1.6 KB
/
mavinject.exe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
Name: 'Mavinject.exe'
Description: 'Inject DLL into running process'
Created: '2018-06-17'
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110.
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
Windows Binary: true
Bypasses Default AppLocker Rules: false
Notes: ''
MITRE:
- ID: ''
Link: ''
Atomic Red Teaming:
- Description: ''
Code: ''
Full path:
- Path: 'C:\Windows\System32\mavinject.exe'
- Path: 'C:\Windows\SysWOW64\mavinject.exe'
Verified on OS:
- Windows 10 1803: false
- Windows 10 1709: false
- Windows 10 1703: false
- Windows 10 1607: false
- Windows 10 1511: false
- Windows 10 1507: false
- Windows 8.1: false
- Windows 8: false
- Windows 7: false
Resources:
- Link: 'https://twitter.com/gN3mes1s/status/941315826107510784'
- Link: 'https://twitter.com/Hexcorn/status/776122138063409152'
- Link: 'https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/'
- Link: 'https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e'
Acknowledgement:
- Name: 'Giuseppe'
TwitterHandle: '@gN3mes1s'
Blog: 'https://quequero.org/'
- Name: 'Adam'
TwitterHandle: '@hexacorn'
Blog: 'http://www.hexacorn.com/blog/'
- Name: 'Oddvar Moe'
TwitterHandle: '@oddvarmoe'
Blog: 'http://oddvar.moe'
- Name: 'Matt Graeber'
TwitterHandle: '@mattifestation '
Blog: 'http://www.exploit-monday.com/'
---