gpscript.exe

  • File Path: C:\WINDOWS\SysWOW64\gpscript.exe
  • Description: Group Policy Script Application

Hashes

Type Hash
MD5 E579A840702F587D8B043D3DFEEB2994
SHA1 44486F2ABB4A863F4333ECEEFCFDB9D5421571B2
SHA256 B12D639945EC97872836BEAF93302E1B70AC9CDBAFFF20E886A7973AA840CB2C
SHA384 F0090B3EC6D31AB06A992C600BA7F2475496F0447B334B3829EDEC1E17DFE94DE515A6E3A6E2992C1988F1A00E91CFDD
SHA512 63E23441AD9087C69A603960B7124D3C9489F6D89D098181B40A53FD43B358AB6EBD91C9A3A3CC8B6EBA5A6F01259175BED4B78845D16E024D26305612E25739
SSDEEP 768:Y7alU+Bk3XQ/V85PA4hhk488ELrTEuCgmdtjxX1TdTlZF99V5e:7++Bk3At85PA4mvPTEuADxX1TdTvF99

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: GPSCRIPT.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Gpscript.yml Name: Gpscript.exe  
LOLBAS Gpscript.yml - Command: Gpscript /logon  
LOLBAS Gpscript.yml - Command: Gpscript /startup  
LOLBAS Gpscript.yml - Path: C:\Windows\System32\gpscript.exe  
LOLBAS Gpscript.yml - Path: C:\Windows\SysWOW64\gpscript.exe  
LOLBAS Gpscript.yml - IOC: Execution of Gpscript.exe after logon  
LOLBAS Gpscript.yml - Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/  

MIT License. Copyright (c) 2020-2021 Strontic.