Gpscript Execution
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Sigma rule (View on GitHub)
1title: Gpscript Execution
2id: 1e59c230-6670-45bf-83b0-98903780607e
3status: test
4description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
5references:
6 - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
7 - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
8author: frack113
9date: 2022-05-16
10modified: 2023-06-14
11tags:
12 - attack.defense-evasion
13 - attack.t1218
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection_img:
19 - Image|endswith: '\gpscript.exe'
20 - OriginalFileName: 'GPSCRIPT.EXE'
21 selection_cli:
22 CommandLine|contains:
23 - ' /logon'
24 - ' /startup'
25 filter_main_svchost:
26 ParentCommandLine: 'C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc'
27 condition: all of selection_* and not 1 of filter_main_*
28falsepositives:
29 - Legitimate uses of logon scripts distributed via group policy
30level: medium
References
-
TL;DR – GPO scripts can be defined for user and started with GPScript.exe /Logon – Logonscripts do not show up in Autoruns.exe I started to play around with GPscript.exe here the…
Read More -
Gpscript.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE