Runscripthelper.exe


runscripthelper.exe surfacecheck \\?\C:\Test\Microsoft\Diagnosis\scripts\test.txt C:\Test
Execute the PowerShell script named test.txt.

Windows binary: True
Bypasses Default AppLocker Rules: False
Mitre: T1218
Links:
- https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
File path:
- C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe
- C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Acknowledgement:
- Name: Matt Graeber
  - Twitter: @mattifestation
  - Blog: http://www.exploit-monday.com/

OS:

Provide feedback