← Back to Explore
sigmamediumHunting
Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Detection Query
selection_img:
- Image|endswith: \gpscript.exe
- OriginalFileName: GPSCRIPT.EXE
selection_cli:
CommandLine|contains:
- " /logon"
- " /startup"
filter_main_svchost:
ParentCommandLine: C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
condition: all of selection_* and not 1 of filter_main_*
Author
frack113
Created
2022-05-16
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Gpscript Execution
id: 1e59c230-6670-45bf-83b0-98903780607e
status: test
description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
references:
- https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
- https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
author: frack113
date: 2022-05-16
modified: 2023-06-14
tags:
- attack.defense-evasion
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\gpscript.exe'
- OriginalFileName: 'GPSCRIPT.EXE'
selection_cli:
CommandLine|contains:
- ' /logon'
- ' /startup'
filter_main_svchost:
ParentCommandLine: 'C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate uses of logon scripts distributed via group policy
level: medium