gpscript.exe

• File Path: C:\WINDOWS\SysWOW64\gpscript.exe
• Description: Group Policy Script Application

Hashes

Type	Hash
MD5	E579A840702F587D8B043D3DFEEB2994
SHA1	44486F2ABB4A863F4333ECEEFCFDB9D5421571B2
SHA256	B12D639945EC97872836BEAF93302E1B70AC9CDBAFFF20E886A7973AA840CB2C
SHA384	F0090B3EC6D31AB06A992C600BA7F2475496F0447B334B3829EDEC1E17DFE94DE515A6E3A6E2992C1988F1A00E91CFDD
SHA512	63E23441AD9087C69A603960B7124D3C9489F6D89D098181B40A53FD43B358AB6EBD91C9A3A3CC8B6EBA5A6F01259175BED4B78845D16E024D26305612E25739
SSDEEP	768:Y7alU+Bk3XQ/V85PA4hhk488ELrTEuCgmdtjxX1TdTlZF99V5e:7++Bk3At85PA4mvPTEuADxX1TdTvF99

Signature

• Status: Signature verified.
• Serial: 33000001C422B2F79B793DACB20000000001C4
• Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: GPSCRIPT.EXE
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.18362.1 (WinBuild.160101.0800)
• Product Version: 10.0.18362.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of gpscript.exe being misused. While gpscript.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
LOLBAS	Gpscript.yml	Name: Gpscript.exe
LOLBAS	Gpscript.yml	- Command: Gpscript /logon
LOLBAS	Gpscript.yml	- Command: Gpscript /startup
LOLBAS	Gpscript.yml	- Path: C:\Windows\System32\gpscript.exe
LOLBAS	Gpscript.yml	- Path: C:\Windows\SysWOW64\gpscript.exe
LOLBAS	Gpscript.yml	- IOC: Execution of Gpscript.exe after logon
LOLBAS	Gpscript.yml	- Link: https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

MIT License. Copyright (c) 2020-2021 Strontic.