DSCourier Proof-of-Concept Abuses WinGet COM API to Bypass CrowdStrike Falcon, Microsoft Defender, and Elastic EDR
A security researcher has released DSCourier, a proof-of-concept tool that abuses the WinGet Configuration COM API to apply arbitrary Desired State Configuration (DSC) configurations through Microsoft-signed binaries — a technique that has been demonstrated bypassing three of the most widely deployed enterprise EDR platforms: CrowdStrike Falcon, Microsoft Defender for Endpoint, and Elastic Security.
The technique works because DSCourier leverages WinGet's built-in configuration functionality, which runs through Microsoft's own signed binaries. Since the execution chain originates from trusted, vendor-signed processes, EDR platforms that rely on binary reputation and process-tree analysis do not flag the activity as malicious. The tool effectively turns a legitimate Windows management capability into an execution vehicle for attacker-controlled configurations.
DSCourier requires WinGet to be installed on the target system with the configuration feature flag enabled, along with the PSDscResources PowerShell module as a runtime dependency. It runs on Windows 10, Windows 11, and Server 2025. The tool is built on .NET 8 and uses COM interop to call directly into WinGet's Microsoft.Management.Configuration API.
The researcher has published the full source code, build scripts, compiled binaries, and video demonstrations showing successful bypass of CrowdStrike Falcon on GitHub under an MIT license. A companion blog post provides a detailed technical breakdown of the underlying technique. The tool is described as a research starting point rather than a finished offensive product — its primary value lies in operators modifying and extending the approach with custom configuration files tailored to their own objectives.
The public release of a working EDR bypass affecting three major platforms simultaneously is significant. While proof-of-concept tools of this nature serve legitimate red team and security research purposes, the technique is straightforward to replicate and the barrier to weaponization is low. Attackers who already have initial access to a Windows environment with WinGet installed can use this approach to execute post-exploitation actions without triggering endpoint detection.
What Defenders Should Do:
Security teams running CrowdStrike Falcon, Defender for Endpoint, or Elastic Security should immediately assess their exposure to this technique. Monitor for unusual invocations of WinGet's configuration functionality, particularly winget configure commands or COM-based calls to the Microsoft.Management.Configuration API that originate outside normal IT management workflows. Consider restricting access to WinGet's configuration feature flag on endpoints where it is not operationally required. Audit whether the PSDscResources PowerShell module is installed on systems where it has no legitimate purpose. Deploy behavioral detection rules that flag DSC configuration application events from unexpected contexts. Contact your EDR vendor for guidance on detection updates specific to this bypass technique.
