The detection rule "Mavinject Execution" targets malicious exploitation of the legitimate Windows component, Mavinject, which allows for code injection into running processes. This rule highlights the use of Mavinject in living-off-the-land attacks, where threat actors utilize existing system tools to evade detection. Specifically, the rule checks for events from the last two hours involving any processes that either have the executable name 'mavinject.exe' or match a specified regex pattern indicating ongoing injections. The logic utilizes the Snowflake data format and is executed against the CrowdStrike Falcon Data Replicator (FDR) process logs. Additionally, the rule is associated with several techniques, including dynamic-link library injection and API hooking, indicating diverse potential abuses of the Mavinject component. The detection aims to uncover instances where Mavinject may be used for malicious purposes contrary to its legitimate intent.