Gpscript Execution

calendar May 2, 2024 · attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Sigma rule (View on GitHub)

 1title: Gpscript Execution
 2id: 1e59c230-6670-45bf-83b0-98903780607e
 3status: test
 4description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
 5references:
 6    - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
 7    - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
 8author: frack113
 9date: 2022/05/16
10modified: 2023/06/14
11tags:
12    - attack.defense_evasion
13    - attack.t1218
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_img:
19        - Image|endswith: '\gpscript.exe'
20        - OriginalFileName: 'GPSCRIPT.EXE'
21    selection_cli:
22        CommandLine|contains:
23            - ' /logon'
24            - ' /startup'
25    filter_main_svchost:
26        ParentCommandLine: 'C:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc'
27    condition: all of selection_* and not 1 of filter_main_*
28falsepositives:
29    - Legitimate uses of logon scripts distributed via group policy
30level: medium

References

  • GPscript.exe – another LOLBin to the list

    TL;DR – GPO scripts can be defined for user and started with GPScript.exe /Logon – Logonscripts do not show up in Autoruns.exe   I started to play around with GPscript.exe here the…


    Read More

  • Gpscript | LOLBAS

    Executes logon scripts configured in Group Policy. Gpscript /logon Use caseAdd local group policy logon script to execute file and hide from defensive counter measures Privileges requiredAdministra...


    Read More

Related rules

to-top