gpscript.exe

• File Path: C:\Windows\SysWOW64\gpscript.exe
• Description: Group Policy Script Application

Hashes

Type	Hash
MD5	A6DC38BFB2D6748C5FC33B4563945F3E
SHA1	2B5132D4D026DED865336E5F430F035CADCD47F7
SHA256	D57E63C93A8713E342754C911C7053A08BF4B100049A1730ACFB1F696062A35B
SHA384	E53FE689B14E3D5B72AA7D8AD3D326A71264867BF529654CB244B63EE52184E65F83B9C75B39348E2F71A4331613E297
SHA512	5284AE4B1142910F661744501707705C3F51CF712C2EE2FC9FF9BCB897416B24164F86E5C76583A879FBA1BD05433B7EE61120E38CFF0E38B609385968A42733
SSDEEP	768:LfAQlUBk3rTy1KgcpMRqpEDSyLwEFVFlubIecuUG8:7AQiBk3re1KgclQSy3FVFlubILuUG8

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: GPSCRIPT.EXE
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
• Product Version: 10.0.14393.2457
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
LOLBAS	Gpscript.yml	Name: Gpscript.exe
LOLBAS	Gpscript.yml	- Command: Gpscript /logon
LOLBAS	Gpscript.yml	- Command: Gpscript /startup
LOLBAS	Gpscript.yml	- Path: C:\Windows\System32\gpscript.exe
LOLBAS	Gpscript.yml	- Path: C:\Windows\SysWOW64\gpscript.exe
LOLBAS	Gpscript.yml	- IOC: Execution of Gpscript.exe after logon
LOLBAS	Gpscript.yml	- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

MIT License. Copyright (c) 2020-2021 Strontic.