Bypass Record
Masquerading × Cortex XDR
A publicly-reported instance of Masquerading bypassing Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
The attacker creates a .NET executable with an Uninstall() method containing malicious code. Using InstallUtil.exe /u, the Uninstall() method is invoked, bypassing Carbon Black's block on unknown executables because InstallUtil is a trusted Windows binary. The code performs process injection into a legitimate process (e.g., notepad.exe) using only OpenProcess() and WriteProcessMemory(), avoiding the typical sequence of VirtualAllocEx and CreateRemoteThread that EDRs monitor. Memory allocation is achieved via alternative means (e.g., modifying existing executable memory or using other APIs) to evade Cortex XDR's behavioral detection.
Detection & mitigation
Monitor for InstallUtil.exe spawning unexpected child processes or making network connections. Track .NET assemblies loaded by InstallUtil, especially those with Uninstall methods performing process injection or memory allocation. Enforce application control policies that restrict InstallUtil usage to authorized directories or signed assemblies. Use EDR behavioral rules to detect process injection patterns involving OpenProcess and WriteProcessMemory without corresponding VirtualAllocEx.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.