Question Analysis
A malicious actor may attempt to list running processes on a Windows machine using a WMI-based command. Review the process creation events to find out which utility was invoked to perform this enumeration.
640cbf6d-659b-498b-ba53-f6dd1a1cc02c
Question ID
7/16
Models Correct
1
Valid Answer
44%
Success Rate
Reference Answer
Human-validated correct answer for this question
wmic.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "wmic process list" or ProcessCommandLine contains "Get-Process" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "Get-WmiObject"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | Incorrect | 1 | 10.70s | 0.0037 |
| gpt-35-turbo | wmiprvse.exe | DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName endswith '.exe' | summarize count() by InitiatingProcessFileName | Incorrect | 1 | 3.99s | 0.0024 |
| gpt-4-turbo-2024-04-09 | driverquery | DeviceProcessEvents
| where (InitiatingProcessCommandLine has_any('wmic', 'Get-WmiObject', 'gwmi', 'select', 'from', 'Win32_Process') or InitiatingProcessFileName =~ 'powershell.exe')
| where InitiatingProcessCommandLine has 'list' or InitiatingProcessCommandLine contains 'Select *'
| project DeviceName, InitiatingProcessCommandLine, ProcessCreationTime | Incorrect | 4 | 25.93s | 0.2298 |
| gpt-4.1 | powershell.exe | DeviceProcessEvents
| where (tolower(FileName) == "wmic.exe" and ProcessCommandLine has_all ("process", "list"))
or (tolower(FileName) == "powershell.exe" and (ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "Get-CimInstance") and ProcessCommandLine has "Win32_Process")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | Incorrect | 1 | 4.86s | 0.0115 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0333 |
| gpt-4.1-mini | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine contains "wmic" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Invoke-WmiMethod" or FileName == "wmic.exe" or FileName == "powershell.exe"
| project DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, ProcessCreationTime
| sort by ProcessCreationTime desc
| take 50 | Incorrect | 3 | 78.71s | 0.0073 |
| gpt-4.1-nano | tasklist | DeviceProcessEvents
| where ProcessCommandLine contains "wmic process list" or ProcessCommandLine contains "powershell Get-Process" or ProcessCommandLine contains "tasklist"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine | Incorrect | 3 | 5.06s | 0.0009 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0540 |
| grok-3-beta | wmic | DeviceProcessEvents
| where ProcessCommandLine has 'wmic' and ProcessCommandLine has 'process' and (ProcessCommandLine has 'list' or ProcessCommandLine has 'get')
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName
| summarize Count=count() by InitiatingProcessFileName, ProcessCommandLine, DeviceName, InitiatingProcessAccountName, Timestamp
| order by Timestamp desc
| take 100 | Correct | 3 | 21.83s | 0.0567 |
| grok-3-mini-beta | wmic | DeviceProcessEvents
| where ProcessCommandLine has 'wmic process' or ProcessCommandLine has 'Get-WmiObject Win32_Process'
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 13.42s | 0.0015 |
| o1-high | wmic | DeviceProcessEvents
| where ActionType in~ ("CreateProcess", "ProcessCreated")
| where isnotempty(ProcessCommandLine)
| where tolower(ProcessCommandLine) has_any ("wmic", "get-wmiobject", "get-ciminstance", "win32_process", "gwmi")
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 104.13s | 0.3759 |
| o1-low | wmic | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "wmic.exe" or ProcessCommandLine has_any ("wmic process", "Get-WmiObject", "Get-CimInstance", "win32_process")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 24.17s | 0.1832 |
| o3-mini-high | wmic | DeviceProcessEvents
| where isnotempty(ProcessCommandLine) and (ProcessCommandLine contains "wmic" or InitiatingProcessCommandLine contains "wmic")
| project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 20.69s | 0.0126 |
| o3-mini-low | wmic | DeviceProcessEvents
| where ProcessCommandLine has "wmic" and ProcessCommandLine has "process"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 9.69s | 0.0098 |
| o4-mini-high | wmic | DeviceProcessEvents
| where ActionType == "ProcessCreated"
and (
ProcessCommandLine has_cs "wmic"
or ProcessCommandLine has_cs "Get-WmiObject"
or ProcessCommandLine has_cs "gwmi"
)
| project TimeGenerated,
DeviceName,
AccountName = InitiatingProcessAccountName,
ParentProcess = InitiatingProcessFileName,
ParentCommandLine = InitiatingProcessCommandLine,
ProcessFileName = FileName,
ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 35.95s | 0.0144 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0399 |