gpt-35-turbo vs gpt-4.1-finetuned KQL Benchmark

On a Windows endpoint, review process creation logs to uncover when a built-in utility was used to reveal ARP entries. What exact command was used to list the ARP cache?

Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration?

A user launched a Windows command prompt and executed a built-in utility to enumerate all active network connections. Using process creation logs, identify the exact tool that produced the list of current connections.

In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections.

Investigate Windows process events for PowerShell activity that leverages WMI to register a scheduled task via XML import. What was the name of the XML file supplied to the RegisterByXml method?

You suspect malicious persistence via scheduled tasks on a Windows endpoint. Review the process execution logs to identify the built-in utility used to register tasks at logon or startup. What is the name of this utility?

On a Linux system, find any process creation record where awk is used with a BEGIN rule to launch a shell. What was the exact command invoked?

Using Linux process execution logs, identify the specific command that was used to filter loaded kernel modules for entries containing “vmw.” What was that full command?

On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?

Review Windows process execution logs for any PowerShell activity that retrieves the system clock. Which command was executed?

Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts.

Review Windows process creation events for evidence of a .NET assembly being installed. Which executable was launched with an "/action=install" argument?

Investigate Linux process or syslog records to find any invocation of the 'find' utility used to scan /usr/bin for files with the setuid bit. What was the full command executed?

On a Windows system, a registry event shows the EnableLUA value under the System policies key was set to 0, effectively disabling UAC. Which utility carried out this change?

A Windows host shows a registry write under DeviceRegistryEvents affecting the System policy path. Investigate entries where the data is set to ‘0’ and determine which registry value was modified to turn off UAC consent prompts.

On a Windows system, PowerShell was used to gather multiple browser credential files into a temp folder and then archive them. What was the name of the resulting ZIP file?

Investigating a Windows device, you suspect a non-standard executable was launched to set up a named pipe for client-server messaging. Determine the name of the executable that was run.

On a Linux system you suspect someone altered Bash’s history settings to hide their activity. Investigate process logs for evidence of HISTCONTROL being set to ignore entries. What was the full command executed to configure HISTCONTROL?

Review Linux process execution logs to find where the system journal service was stopped. Which utility was invoked to disable journal logging?

On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command?

On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written?

On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated.

On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target.

On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script?

Linux hosts may log events when new files are added to /var/spool/cron/crontabs. Query those logs for a creation or write action in that directory and determine the file name that was added.