// question

A Linux system shows a shell invocation that appears to be searching for files with elevated group permissions. Using the available process execution logs, determine exactly what command was run.

Reference KQL answer and model-by-model comparison.

3fb46e17-f337-4c14-9f9a-a471946533e2
question id
11/23
models correct
1
valid answer
48%
success rate
// reference answer

Human-validated correct answer for this question.

find /usr/bin -perm -2000
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
find / -perm -2000 -type f
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "find" and (ProcessCommandLine has "-perm" and (ProcessCommandLine has "2000" or ProcessCommandLine has "/2000" or ProcessCommandLine has "-2000") or ProcessCommandLine has "g+s")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
fail116.84s0.0074
gpt-35-turbo
no answer
no query generatedfail50.00s0.0108
gpt-4-turbo-2024-04-09
find /usr/bin -perm -4000
DeviceProcessEvents
| where FileName contains 'bash' or FileName contains 'sh'
| where ProcessCommandLine has 'find' and (ProcessCommandLine has_any ('-perm', 'g+s'))
| project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated
fail218.49s0.0989
gpt-4.1
find /usr/bin/crontab /usr/bin/ssh-agent /usr/bin/expiry /usr/bin/chage /usr/sbin/unix_chkpwd /usr/sbin/pam_extrausers_chkpwd /usr/lib/x86_64-linux-gnu/utempter/utempter -perm -2000 -type f -exec ls -la {} ;
DeviceProcessEvents
| where FileName =~ "find"
| where ProcessCommandLine has "-perm"
| where ProcessCommandLine has_any ("g=s", "/2000", "2000", "2600")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, ProcessId, InitiatingProcessAccountName
| order by TimeGenerated desc
fail316.41s0.0299
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0327
gpt-4.1-mini
find /usr/bin -perm -2000
DeviceProcessEvents
| where ProcessCommandLine contains "-perm"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
| limit 20
pass550.98s0.0072
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
find /usr/bin/su /usr/bin/newgrp /usr/bin/sudo /usr/bin/passwd /usr/bin/fusermount3 /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/mount /usr/bin/umount /usr/sbin/mount.cifs /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/polkit-1/polkit-agent-helper-1 -uid 0 -perm -4002 -type f -exec ls -la {} \;
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine matches regex @".*\b(find|grep|chmod|ls)\b.*\b(group|sudo|permission)\b.*"
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountName
fail327.89s0.0675
gpt-5-high
sh -c "find /usr/bin -perm -2000"
let linuxDevices = DeviceInfo
    | where OSPlatform == "Linux"
    | distinct DeviceId;
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where DeviceId in (linuxDevices)
// Optional: scope to a specific device or user if known
// | where DeviceName == "<hostname>" or AccountName =~ "<user>"
| where ProcessCommandLine has "find"
// Look for SGID or other elevated group permission searches
| where ProcessCommandLine matches regex @"(?i)\bfind\b.*(-perm\s+(-|/)?g\s*[=+]\s*s|-perm\s+-0?2000|-perm\s+(-|/)?g\s*[=+]\s*w)"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, 
          InitiatingProcessFileName, InitiatingProcessCommandLine, 
          InitiatingProcessParentFileName, ProcessId, InitiatingProcessId, DeviceId
| order by TimeGenerated asc
pass183.45s0.0559
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0207
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0177
gpt-5-mini-medium
find /usr/bin -perm -2000
union isfuzzy=true DeviceProcessEvents, DeviceEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| extend cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ProcessCommandLine))
| where isnotempty(cmd)
// focus on Linux-origin or commonly Linux shells (optional separate filter if your environment sets SourceSystem)
| where SourceSystem == "Linux" or tolower(DeviceName) contains "linux" or cmd has "bash" or cmd has "sh" or cmd has "zsh" or cmd has "ksh" or cmd has "find"
// look for find invocations that include permission checks or SUID/SGID bits
| where cmd has "find" and (cmd has "-perm" or cmd has "suid" or cmd has "sgid" or cmd has "setgid" or cmd has "setuid" or cmd has "-2000" or cmd has "-4000" or cmd has "g+s" or cmd has "g+w")
| extend find_cmd = extract(@"(?i)(find\s+[^;\n]+)", 1, cmd)
| extend perm_part = extract(@"(?i)(-perm\s+[^\s;]+|g\+s|g\+w|suid|sgid|-2000|-4000|-perm[:=]?[^\s;]+)", 1, cmd)
| project TimeGenerated, DeviceName, DeviceId, ProcessId, InitiatingProcessId, AccountName, InitiatingProcessAccountName, ProcessCreationTime, cmd, find_cmd, perm_part
| order by TimeGenerated desc
| distinct DeviceName, ProcessId, cmd, TimeGenerated
| limit 200
pass242.50s0.0100
gpt-5-nano-high
sh -c "find /usr/bin -perm -2000"
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where (InitiatingProcessFileName in ('bash','sh','zsh','dash','ash')
       or InitiatingProcessCommandLine contains '/bin/bash'
       or InitiatingProcessCommandLine contains '/bin/sh')
| where ProcessCommandLine contains 'find' and ((ProcessCommandLine contains '-perm') or (ProcessCommandLine contains 'setgid') or (ProcessCommandLine contains 'g=s'))
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, ProcessCommandLine, ProcessId, AccountName, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| sort by TimeGenerated desc
| take 50
pass143.13s0.0026
gpt-5-nano-medium
sh -c "find /usr/bin -perm -2000"
let StartTime = ago(24h); DeviceProcessEvents
| where TimeGenerated between (StartTime .. now())
| extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| where CmdLine contains "bash" or CmdLine contains "/bin/bash" or CmdLine contains "sh" or CmdLine contains "/bin/sh"
| where CmdLine contains "find" and (CmdLine contains "-perm" or CmdLine contains "perm") and ((CmdLine contains "2000") or (CmdLine contains "setgid") or (CmdLine contains "setuid") or (CmdLine contains "g+s"))
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessId, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, CmdLine, ProcessId, ProcessCommandLine, InitiatingProcessCreationTime
| sort by TimeGenerated asc
pass5152.03s0.0087
grok-3-beta
find /usr/bin -perm -2000
DeviceProcessEvents
| join kind=inner DeviceInfo on DeviceId
| where OSPlatform contains "Linux"
| where ProcessCommandLine has "find" and ProcessCommandLine has_any ("group", "-group", "perm", "-perm")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
| limit 50
pass229.95s0.0554
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0073
o1-high
find /usr/bin -perm -2000
DeviceProcessEvents
| join kind=inner (
    DeviceInfo
    | where OSPlatform =~ "Linux"
) on DeviceId
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "find" and ProcessCommandLine has_any ("perm", "sgid")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath, InitiatingProcessFolderPath
| order by TimeGenerated desc
pass141.06s0.4719
o1-low
no answer
no query generatedfail50.00s0.7419
o3-high
sh -c "find /usr/bin -perm -2000"
let LinuxDevices = DeviceInfo
    | where OSPlatform startswith "Linux"
    | project DeviceId, OSPlatform, DeviceName;
DeviceProcessEvents
| where Timestamp between (startofday(ago(1d)) .. now()) // Time range placeholder – replaced by portal picker
| join kind=inner (LinuxDevices) on DeviceId
| where FileName in ("find","sh","bash","dash","ksh","zsh","csh") or ProcessCommandLine has "find"
| where ProcessCommandLine has "-perm" and (
        ProcessCommandLine has "-g=s" or
        ProcessCommandLine has "-g+s" or 
        ProcessCommandLine has "-2000" or
        ProcessCommandLine has "-02000" or
        ProcessCommandLine has "-2\000" // numeric SGID variations
    )
| project TimeGenerated,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          FolderPath,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          InitiatingProcessAccountName,
          ProcessId,
          InitiatingProcessId
| order by TimeGenerated desc
pass148.64s0.0515
o3-mini-high
find /usr/bin -perm -2000
DeviceProcessEvents
| where isnotempty(InitiatingProcessCommandLine)
| where InitiatingProcessCommandLine has "find" and InitiatingProcessCommandLine has "-perm"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass118.74s0.0138
o3-mini-low
find
DeviceProcessEvents
| where ProcessCommandLine has "find" and ProcessCommandLine has "-2000"
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath, FileName
| sort by TimeGenerated desc
fail121.73s0.0132
o4-mini-high
find /usr/bin -perm -2000
let linuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine matches regex @"\bfind\b.*(-perm\s+(?:/g\+s|-2000))"
| project TimeGenerated, DeviceName, ProcessId, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated asc
pass143.70s0.0152
o4-mini-low
sh -c "find /usr/bin -perm -2000"
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "find" and ProcessCommandLine has "-perm"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessId, ProcessCommandLine
| sort by TimeGenerated desc
pass385.21s0.0308