Abusing WinGet via the COM API

📌Abusing WinGet via the COM API

EclipseSec's research shows how to leverage the WinGet COM API to execute arbitrary code inside a Microsoft‑signed process. Instead of invoking winget.exe, an attacker can call the COM interface directly, completely avoiding any appearance of winget.exe, powershell.exe, or cmd.exe in the process tree. This effectively turns WinGet into a living‑off‑the‑land tool that helps evade monitoring solutions.

The technique works on Windows 10, Windows 11, or Windows Server 2025 systems where WinGet is installed by default. Exploitation requires a user account that has permission to access the WinGet COM object.

📎 Article: https://eclipsesec.com/posts/DSCourier/ ⚙️ Tool: https://github.com/DylanDavis1/DSCourier

💬 Discuss