This detection rule focuses on identifying when the Mavinject tool, a legitimate Windows utility, is used to perform DLL injection into running processes. The detection is specifically triggered when the command line argument ‘/INJECTRUNNING’ is identified in a command line, indicating an attempt to inject a dynamic link library into an actively running process. To strengthen the specificity of the detection, a filter is applied to exclude instances where the parent process image is ‘C:\Windows\System32\AppVClient.exe’, as this may lead to false positives. The rule targets process creation events in the Windows environment, making it a significant tool for detecting potential nefarious activities that fall under the category of process injection and privilege escalation. This rule is designated as 'high' severity due to the implications of malicious process injections and their potential use in evading security measures. Overall, the Mavinject DLL injection detection rule is an essential component in the broader strategy of monitoring and mitigating threats in a Windows environment.