gpscript.exe

  • File Path: C:\Windows\SysWOW64\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 A6DC38BFB2D6748C5FC33B4563945F3E
SHA1 2B5132D4D026DED865336E5F430F035CADCD47F7
SHA256 D57E63C93A8713E342754C911C7053A08BF4B100049A1730ACFB1F696062A35B
SHA384 E53FE689B14E3D5B72AA7D8AD3D326A71264867BF529654CB244B63EE52184E65F83B9C75B39348E2F71A4331613E297
SHA512 5284AE4B1142910F661744501707705C3F51CF712C2EE2FC9FF9BCB897416B24164F86E5C76583A879FBA1BD05433B7EE61120E38CFF0E38B609385968A42733
SSDEEP 768:LfAQlUBk3rTy1KgcpMRqpEDSyLwEFVFlubIecuUG8:7AQiBk3re1KgclQSy3FVFlubILuUG8

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
  • Product Version: 10.0.14393.2457
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.