gpscript.exe

  • File Path: C:\Windows\system32\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 5DD0F13C8A76D57D6B02DD00C645D0F5
SHA1 6DCCA79BEDD6DF2B55CE4A5ADACE7CFF8F7AE210
SHA256 57B307144F8ED485DFC4519431131A722DB2E64FF5C8A35E7F1B59663FF1738D
SHA384 55244728CD9AA5545DEF38CDD18927E4792FAD302ACD069C05836A36C618C0203A05DC47B6611BC4F61377B468B2D937
SHA512 2DF834D675A6C69538528CDEC205E144A1B1BF765A1D4D0BDE7B12E5AF6E395C554B97FD0F36A9771C390CF8C3A89FEE12AE2FB891D03C7A982D058BD8AAB5C2
SSDEEP 768:lA1TP7KYN/TlmHlkyJvG35YD8ZCcLl0ex0HhcHytubIQj4Bx9sm:66YNxmHpq5UWCcL+ex0HTtubI24Bsm

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
  • Product Version: 10.0.14393.2457
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.