grok-3-beta
KQL Benchmark Performance Analysis
Performance Overview
Success Rate
48.9%
(92 / 188 successful)
Average Attempts
3.03
per question
Avg. Execution Time
9.99s
Total Cost
$12.0694
Detailed Test Results
Showing 1 to 50 of 188 results
Page 1 of 4
| # | Prompt (Question) | MITRE ATT&CK | Correct Answer | LLM Answer | Correct | KQL Query from LLM |
|---|---|---|---|---|---|---|
| 1 | An analyst notices a PowerShell process on a Windows host that appears to be checking SMB connectivity. Which PowerShell cmdlet was executed to perform this outbound port 445 test? | Test-NetConnection | ConnectAsync | ✗ | DeviceNetworkEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where RemotePort == 445
| where ActionType == 'ConnectionSuccess' or ActionType == 'OutboundConnection'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| order by Timestamp desc
| limit 100 | |
| 2 | Using Windows process event logs, investigate PowerShell activity around lsass.exe memory capture. What was the name of the script file invoked to perform the dump? | Out-Minidump.ps1 | Out-Minidump.ps1 | ✓ | DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or FileName =~ 'powershell.exe')
| where (ProcessCommandLine contains 'lsass' or InitiatingProcessCommandLine contains 'lsass')
| project
ScriptFileName = extract('([^ \"]*\\.ps1)', 1, ProcessCommandLine),
ProcessFileName = FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
AccountName,
AccountDomain,
DeviceName,
DeviceId,
Timestamp
| order by Timestamp desc | |
| 3 | On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command? | cmdkey /list | cmdkey.exe /list | ✓ | DeviceProcessEvents
| where FileName == 'cmdkey.exe' and ProcessCommandLine contains '/list'
| project DeviceName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by ProcessCreationTime desc | |
| 4 | On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated. | svchost-exe.dmp | svchost-exe.dmp | ✓ | DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "Temp"
| where InitiatingProcessFileName == "rundll32.exe"
| where InitiatingProcessCommandLine contains "COMSVCS" or InitiatingProcessCommandLine contains "svchost.exe"
| project Timestamp, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, DeviceName
| order by Timestamp desc | |
| 5 | On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target. | 8.8.8.8 | 8.8.8.8 | ✓ | DeviceProcessEvents
| where ProcessCommandLine contains "ping"
| join kind=inner (
DeviceInfo
| where OSPlatform contains "Linux"
) on DeviceId
| extend ExtractedIP = extract("[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+", 0, ProcessCommandLine)
| where isnotempty(ExtractedIP)
| project DeviceName, ProcessCreationTime, ProcessCommandLine, ExtractedIP
| order by ProcessCreationTime desc | |
| 6 | Identify the PowerShell cmdlet used on Windows to format and display the raw volume bytes after an attacker read the boot sector via a DOS device path. | Format-Hex | Format-Hex | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('Format-Hex', '\\.\\', 'Read', 'Boot', 'Sector', 'Volume', 'Raw', 'Bytes')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | |
| 7 | Review Linux process execution records for any commands that list TCP metric cache entries and filter out loopback interfaces. Which utility was used? | ip | ip | ✓ | DeviceProcessEvents
| where ProcessCommandLine has "ss" or ProcessCommandLine has "netstat" or ProcessCommandLine contains "tcp"
| join kind=leftanti (
DeviceNetworkEvents
| where LocalIP == "127.0.0.1"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, DeviceId
| summarize count() by InitiatingProcessFileName, DeviceName, ProcessCommandLine
| order by count_ desc | |
| 8 | A Linux host’s Syslog shows a shell-based network discovery script ran multiple commands. One of them listed current TCP connections. Which utility was invoked? | netstat | netstat | ✓ | DeviceProcessEvents
| where ProcessCommandLine contains 'netstat' or ProcessCommandLine contains 'ss' or ProcessCommandLine contains 'lsof'
| where FileName in ('netstat', 'ss', 'lsof')
| project DeviceName, FileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by ProcessCreationTime desc | |
| 9 | On a Windows host, someone appears to have run a built-in network shell utility to list saved wireless network profiles and their passwords in clear text. Review the process creation logs to discover the exact command that was executed. | netsh wlan show profile * key=clear | netsh | ✓ | DeviceProcessEvents
| where ProcessCommandLine matches regex '(?i)netsh.*wlan.*show.*profile.*key.*clear'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessId, InitiatingProcessId
| order by Timestamp desc | |
| 10 | On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written? | T1003.007.bin | /tmp/T1003.007.bin | ✓ | DeviceProcessEvents
| where ProcessCommandLine contains "dd"
| where ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "mem"
| extend OutputFile = extract("of=([^\\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, OutputFile, AccountName, InitiatingProcessFileName
| order by Timestamp desc | |
| 11 | On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command? | powershell.exe | powershell.exe | ✓ | DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine contains "encodedcommand" or ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}"
| summarize Count = count() by InitiatingProcessFileName, DeviceName
| order by Count desc | |
| 12 | On a Windows endpoint, review process creation logs to uncover when a built-in utility was used to reveal ARP entries. What exact command was used to list the ARP cache? | arp -a | N/A | ✗ | ||
| 13 | A Windows host shows a process launch with an extremely obfuscated command line that dynamically builds and invokes code at runtime. Which process name was used to execute this payload? | powershell | powershell.exe | ✓ | DeviceProcessEvents
| where ProcessCommandLine != ''
| where strlen(ProcessCommandLine) > 500 or ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains 'EncodedCommand'
| project FileName, ProcessCommandLine, DeviceName, ProcessCreationTime
| order by ProcessCreationTime desc
| take 50 | |
| 14 | An analyst suspects a user or script ran a service enumeration command on a Linux system. Review process events to find the service-listing invocation and specify the full command that was executed. | systemctl --type=service | N/A | ✗ | ||
| 15 | On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting? | Enable-PSRemoting -Force | N/A | ✗ | ||
| 16 | In a Linux environment, you observe a process labeled like the cron daemon but running from an unexpected path. Investigate creation events to uncover the actual filename used by this fake cron process. | crond | crond | ✓ | DeviceProcessEvents
| where FileName contains "cron"
| where FolderPath !startswith "/usr/sbin/" and FolderPath !startswith "/usr/bin/"
| project DeviceName, FileName, FolderPath, ProcessCreationTime, ProcessCommandLine, SHA1, SHA256, Timestamp
| order by Timestamp desc | |
| 17 | On a Linux system, spotting a file‐size change by exactly one byte can indicate hash tampering via padding. Review process execution logs for invocations that increased a file’s size by one byte. Which utility was invoked to perform this padding? | truncate | N/A | ✗ | ||
| 18 | Analyze Windows process events for any schtasks.exe commands that created a new task invoking PowerShell. What is the name of the .ps1 script specified to run? | T1036.004_NonExistingScript.ps1 | T1036.004_NonExistingScript.ps1 | ✓ | DeviceProcessEvents
| where FileName contains 'schtasks.exe'
| where ProcessCommandLine has_any ('/create', '-create')
| where ProcessCommandLine has 'powershell'
| extend ScriptName = extract('[^a-zA-Z0-9]([a-zA-Z0-9\\-_.]+\\.ps1)[^a-zA-Z0-9]', 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ScriptName
| order by Timestamp desc | |
| 19 | In a Linux environment, an elevated process was used to execute a command that read /etc/shadow and redirected its output to a file. Identify what file name was employed to store these results. | T1003.008.txt | N/A | ✗ | ||
| 20 | On a Windows system, someone ran PowerShell to copy a file from a remote machine’s C$ share to the local TEMP folder. Using process event logs, what full PowerShell command was executed to perform this action? | copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password" | powershell.exe & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"} | ✓ | DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine contains "C$" and ProcessCommandLine contains "temp"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc | |
| 21 | A reconnaissance tool was executed on a Windows system. Identify the specific function of the tool that was executed. The function has a name from something you can eat | fruit | fruit | ✓ | DeviceProcessEvents
| where ProcessCommandLine matches regex @'\b(cookie|bread|cake|pie|fruit|apple|banana|cherry|grape|berry|meat|fish|rice|noodle|pasta|soup|salad|cheese|milk|egg)\b' or InitiatingProcessCommandLine matches regex @'\b(cookie|bread|cake|pie|fruit|apple|banana|cherry|grape|berry|meat|fish|rice|noodle|pasta|soup|salad|cheese|milk|egg)\b'
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, ActionType
| order by Timestamp desc
| limit 100 | |
| 22 | A Windows host executed an ICMP-based network reconnaissance using a looping instruction in cmd.exe. Identify the exact command line that was used to perform the ping sweep. | for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i | N/A | ✗ | ||
| 23 | In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections. | Get-NetTCPConnection | Get-NetTCPConnection | ✓ | DeviceProcessEvents
| where FileName contains "powershell.exe" or InitiatingProcessFileName contains "powershell.exe"
| where ProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
or InitiatingProcessCommandLine has_any ("Get-NetTCPConnection", "netstat", "Get-NetUDPEndpoint", "Get-Process", "network", "connection", "tcp")
| project DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
| order by Timestamp desc | |
| 24 | Linux hosts may log events when new files are added to /var/spool/cron/crontabs. Query those logs for a creation or write action in that directory and determine the file name that was added. | persistevil | persistevil | ✓ | DeviceFileEvents
| where ActionType in ('FileCreated', 'FileModified')
| where FolderPath contains '/var/spool/cron/crontabs'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc | |
| 25 | A user launched a Windows command prompt and executed a built-in utility to enumerate all active network connections. Using process creation logs, identify the exact tool that produced the list of current connections. | netstat | netstat | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'cmd.exe'
| where FileName in~ ('netstat.exe', 'ipconfig.exe', 'arp.exe')
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessAccountName
| order by Timestamp desc | |
| 26 | A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device. | taskhostw.exe | N/A | ✗ | ||
| 27 | Review the process creation logs on a Windows host to uncover any tool execution indicative of a special APC injection for shellcode execution. What was the name of the executable used? | NtQueueApcThreadEx.exe | rundll32.exe | ✗ | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where ProcessCommandLine contains 'rundll32' or ProcessCommandLine contains 'regsvr32' or ProcessCommandLine contains 'mshta' or InitiatingProcessFileName in ('rundll32.exe', 'regsvr32.exe', 'mshta.exe')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc | |
| 28 | On a Windows host, find any scheduled task that was registered using PowerShell native cmdlets instead of schtasks.exe. What was the name given to the new task? | AtomicTask | AtomicTask | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('New-ScheduledTask', 'Register-ScheduledTask')
| where ProcessCommandLine !has 'schtasks.exe'
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, TaskName = extract('(?i)TaskName\\s*=\\s*["]?([^"\\s]+)["]?', 1, ProcessCommandLine)
| order by Timestamp desc | |
| 29 | On a Windows device, PowerShell was used to collect a snapshot of running processes. Identify the exact cmdlet that was executed. | Get-Process | Get-Process | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where InitiatingProcessCommandLine contains 'Get-Process'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
| order by Timestamp desc | |
| 30 | You suspect malicious persistence via scheduled tasks on a Windows endpoint. Review the process execution logs to identify the built-in utility used to register tasks at logon or startup. What is the name of this utility? | schtasks | schtasks.exe | ✓ | DeviceProcessEvents
| where FileName contains "schtasks.exe"
| where ProcessCommandLine contains "logon" or ProcessCommandLine contains "startup"
| summarize count() by FileName, ProcessCommandLine, DeviceName, AccountName, ProcessCreationTime
| order by ProcessCreationTime desc | |
| 31 | A Linux host briefly hosted an HTTP service under /tmp. Examine process creation logs to determine the exact python3 command that was used to start the server on port 9090. | python3 -m http.server 9090 | N/A | ✗ | ||
| 32 | On a Windows endpoint you observe a PowerShell process that fetches a script from the internet and immediately executes an RPC service scan against the spooler. Which function name was invoked to perform that scan? | spoolvulnscan | N/A | ✗ | ||
| 33 | A Windows host shows a core command-line utility being duplicated from its System32 location to a user-profile folder and subsequently run. Identify the name of the executable that was copied. | cmd.exe | N/A | ✗ | ||
| 34 | A Windows endpoint recorded a command-line activity through cmd.exe that lists all running processes. Determine which built-in tool was executed to perform this action. | tasklist | tasklist | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'cmd.exe'
| where ProcessCommandLine contains 'tasklist'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessAccountName
| order by TimeGenerated desc | |
| 35 | On Windows, review recent registry changes to detect when the MSC file association was hijacked by a reg add operation. What executable file was configured as the default command under HKCU\Software\Classes\mscfile\shell\open\command? | calc.exe | N/A | ✗ | ||
| 36 | A threat actor on a Windows system crafted and registered a service named almost identically to the standard time service, but redirecting execution to a custom script. Review the logging data to determine which native command-line tool was used to perform this action. What utility was invoked? | sc | sc | ✓ | let TimeRange = ago(30d);
union DeviceRegistryEvents, DeviceProcessEvents, DeviceEvents
| where Timestamp > TimeRange
| where (Type == 'DeviceRegistryEvents' and RegistryKey contains 'SYSTEM\\CurrentControlSet\\Services' and RegistryKey matches regex '(?i)(w32time|time|timeservice)')
or (Type == 'DeviceProcessEvents' and ProcessCommandLine matches regex '(?i)(sc\\s+create|sc\\s+config|New-Service|Set-Service|reg\\s+add|reg\\s+set)' and ProcessCommandLine matches regex '(?i)(w32time|time|timeservice)')
or (Type == 'DeviceEvents' and InitiatingProcessCommandLine matches regex '(?i)(sc\\s+create|sc\\s+config|New-Service|Set-Service|reg\\s+add|reg\\s+set)' and InitiatingProcessCommandLine matches regex '(?i)(w32time|time|timeservice)')
| where InitiatingProcessFileName matches regex '(?i)(sc\\.exe|reg\\.exe|powershell\\.exe|cmd\\.exe)'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, ProcessCommandLine, Type, ActionType
| order by Timestamp desc | |
| 37 | Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration? | rclone.exe | N/A | ✗ | ||
| 38 | Examine the logs from the Linux system for events related to the systemd timer activation. Identify any records indicating that a new timer unit was started and enabled, and determine which timer name was used. | art-timer.timer | N/A | ✗ | ||
| 39 | Investigate Windows process events for PowerShell activity that leverages WMI to register a scheduled task via XML import. What was the name of the XML file supplied to the RegisterByXml method? | T1053_005_WMI.xml | N/A | ✗ | ||
| 40 | A malicious actor may attempt to list running processes on a Windows machine using a WMI-based command. Review the process creation events to find out which utility was invoked to perform this enumeration. | wmic.exe | wmic | ✓ | DeviceProcessEvents
| where ProcessCommandLine has 'wmic' and ProcessCommandLine has 'process' and (ProcessCommandLine has 'list' or ProcessCommandLine has 'get')
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName
| summarize Count=count() by InitiatingProcessFileName, ProcessCommandLine, DeviceName, InitiatingProcessAccountName, Timestamp
| order by Timestamp desc
| take 100 | |
| 41 | On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used? | chsh -s /bin/sh art | chsh -s /bin/sh art | ✓ | let shellChangeCommands = dynamic(['chsh', 'usermod']);
DeviceFileEvents
| where FolderPath contains '/etc/passwd' and ActionType == 'FileModified'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, FileName, FolderPath
| union (
DeviceProcessEvents
| where ProcessCommandLine has_any (shellChangeCommands)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType='ProcessExecuted', FileName='', FolderPath=''
)
| order by TimeGenerated desc | |
| 42 | On a Linux system, find any process creation record where awk is used with a BEGIN rule to launch a shell. What was the exact command invoked? | awk 'BEGIN {system("/bin/sh &")}’ | awk 'BEGIN {system("/bin/sh &")}' | ✓ | DeviceProcessEvents
| where FileName contains 'awk'
| where ProcessCommandLine has 'BEGIN' and ProcessCommandLine has_any ('sh', 'bash', 'shell')
| project DeviceName, ProcessCreationTime, ProcessCommandLine, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by ProcessCreationTime desc | |
| 43 | Which full interactive shell command, as recorded in the Linux process logs, repeatedly echoed a distinctive marker message to the terminal? | for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done | sh -c 'ENCODED=$(echo "Hello from Atomic Red Team test T1140!" | base64); printf $ENCODED | base64 -d; echo $ENCODED | base64 -d; echo $(echo $ENCODED) | base64 -d; echo $ENCODED > /tmp/T1140.encoded && base64 -d /tmp/T1140.encoded; echo $ENCODED > /tmp/T1140.encoded && base64 -d < /tmp/T1140.encoded; echo $ENCODED > /tmp/T1140.encoded && cat /tmp/T1140.encoded | base64 -d; echo $ENCODED > /tmp/T1140.encoded && cat < /tmp/T1140.encoded | base64 -d; bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"' | ✗ | DeviceProcessEvents
| where ProcessCommandLine contains "echo"
| summarize CommandCount = count() by ProcessCommandLine
| top 10 by CommandCount desc
| project ProcessCommandLine, CommandCount | |
| 44 | On a Windows endpoint, wscript.exe was used to run a JScript. Identify the exact script path passed to wscript. | PathToAtomicsFolder\T1059.007\src\sys_info.js | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | ✓ | DeviceProcessEvents
| where FileName == 'wscript.exe'
| where ProcessCommandLine has '.js' or ProcessCommandLine has '.jse'
| extend ScriptPath = extract('(?:[^"]\\S+\\.js[e]?|[^"\\s]+\\.js[e]?)', 0, ProcessCommandLine)
| project DeviceName, Timestamp, ProcessCommandLine, ScriptPath
| order by Timestamp desc | |
| 45 | Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed? | Get-WMIObject Win32_Group | Get-WMIObject Win32_Group | ✓ | DeviceProcessEvents
| where InitiatingProcessFileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine contains 'Get-WmiObject' or ProcessCommandLine contains 'Win32_Group' or ProcessCommandLine contains 'group' or ProcessCommandLine contains 'wmi'
| project DeviceName, AccountName, ProcessCommandLine, Timestamp
| order by Timestamp desc | |
| 46 | While reviewing Windows process events, you spot a PowerShell process executing a WMI enumeration cmdlet. What WMI class name did the attacker query? | Win32_Process | Win32_Process | ✓ | DeviceProcessEvents
| where FileName has "powershell.exe"
| where ProcessCommandLine matches regex "(?i)(Get-WmiObject|Invoke-WmiMethod).*?-Class\\s+[^\\s;]+"
| extend WMIClass = extract("(?i)-Class\\s+([^\\s;]+)", 1, ProcessCommandLine)
| where isnotempty(WMIClass)
| summarize Count = count() by WMIClass
| project WMIClass, Count | |
| 47 | On a Windows host, investigate process events to find when Task Manager was launched via cmd with an unusual flag. What was the full command executed? | taskmgr.exe /7 | N/A | ✗ | ||
| 48 | On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script? | art.sh | N/A | ✗ | ||
| 49 | On a Windows device, review the process execution logs to find instances where a built-in listing tool was piped into a string filter. Identify the process name that the attacker was searching for. | lsass | N/A | ✗ | ||
| 50 | On a Windows endpoint, review process execution logs to see if any PowerShell sessions were wiped clean. Which command was executed to clear the PowerShell history? | Clear-History | Clear-History | ✓ | DeviceProcessEvents
| where FileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine has_any ('clear-history', 'delete history', 'remove history', 'clear history')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName
| order by Timestamp desc |
Page 1 of 4