gpscript.exe

  • File Path: C:\WINDOWS\system32\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 C053BB1BDD38B15D828ACF018DA25A50
SHA1 4F7A78B05BF9124A7849EBFC19412422D877F1C3
SHA256 FC2BBA5BF5687A7AD45C158B9002D7563384E5149BD623ADC88D4482D0782AE2
SHA384 B66FC757A389B761419EFE0D6DFDF5856A92A63731BFC37C080693BC7675AB6A1A98902E7A31081A36A5150345311614
SHA512 D6B4695B0F74314C086714D93EEC3C33AB46A6EA63F77A8B732A737DB37010A2F648E5327E9D468D9529AE526B015B7522FD96C4614765BA05DEE947495258BB
SSDEEP 768:+HvvCVRZLhCJbpUfwqzQj+l0ex0H5LPTdT/g0LOlKFd:qvyV4lIk++ex0HBPTdT40LJFd

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.