// question

A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device.

Reference KQL answer and model-by-model comparison.

ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
question id
9/23
models correct
1
valid answer
39%
success rate
// reference answer

Human-validated correct answer for this question.

taskhostw.exe
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
svchost.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath contains "AppData"
| where FolderPath !contains "System32"
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName
fail222.64s0.0107
gpt-35-turbo
no answer
no query generatedfail50.00s0.0109
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2288
gpt-4.1
taskhostw.exe
DeviceProcessEvents
| where (ProcessVersionInfoInternalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "powershell.exe")
// Exclude standard System32 path
| where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "windows\\system32")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoFileDescription, ProcessVersionInfoOriginalFileName
| order by TimeGenerated desc
pass210.54s0.0224
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0386
gpt-4.1-mini
svchost.exe
DeviceProcessEvents
| where FolderPath contains "AppData"
| where FileName != "powershell.exe" and 
       (InitiatingProcessVersionInfoOriginalFileName == "powershell.exe" or 
        InitiatingProcessVersionInfoFileDescription contains "PowerShell")
| summarize count() by FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| project FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| take 10
fail15.98s0.0023
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
no answer
no query generatedfail50.00s0.0459
gpt-5-high
taskhostw.exe
let targetDevice = "";  // optionally set to a specific DeviceName or DeviceId
let familiar_host_names = dynamic(["svchost.exe","services.exe","lsass.exe","conhost.exe","spoolsv.exe","rundll32.exe","dllhost.exe","taskhostw.exe","taskhostex.exe","winlogon.exe","smss.exe","csrss.exe","wininit.exe","ctfmon.exe","explorer.exe","searchhost.exe","werfault.exe","sihost.exe"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Identify the binary as PowerShell (original file) even if renamed
| where tolower(ProcessVersionInfoOriginalFileName) in ("powershell.exe","pwsh.exe") 
    or ProcessVersionInfoFileDescription has_cs "Windows PowerShell"
    or ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b"
// Not from legitimate Windows directories; specifically from user AppData
| where tostring(FolderPath) != "" and tolower(FolderPath) contains "\\users\\" and tolower(FolderPath) contains "\\appdata\\"
| where not(tolower(FolderPath) startswith "c:\\windows\\system32" or tolower(FolderPath) startswith "c:\\windows\\syswow64")
// Optionally scope to a device
| where targetDevice == "" or DeviceName =~ targetDevice or DeviceId == targetDevice
// Must be masquerading under a familiar Windows host name, not the legit powershell.exe name
| where tolower(FileName) != "powershell.exe" and tolower(FileName) in (familiar_host_names)
| summarize firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated), execCount=count() by DeviceName, FileName, FolderPath, SHA1
| order by lastSeen desc
pass183.61s0.0465
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0226
gpt-5-mini-low
taskhostw.exe
// Look for processes originating from AppData (not System32) that appear to be PowerShell or copies of it
DeviceProcessEvents
| where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "system32")
// Indicators of PowerShell or a PowerShell binary renamed/maliciously placed in AppData
| where (
    tolower(ProcessVersionInfoOriginalFileName) has "powershell" 
    or tolower(ProcessVersionInfoInternalFileName) has "powershell"
    or tolower(FileName) has_any ("powershell","pwsh")
    or tolower(ProcessCommandLine) has_any ("powershell","pwsh","-enc","-encodedcommand","-nop","-noninteractive","-w hidden","-windowstyle hidden")
  )
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, SHA256, MD5
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyCommandLines = make_set(ProcessCommandLine, 5), AnyInitiators = make_set(InitiatingProcessFileName, 5) by DeviceName, FileName, FolderPath, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, SHA256, MD5
| order by LastSeen desc
| take 50
pass230.57s0.0069
gpt-5-mini-medium
calc.exe
union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents
| extend Folder = tolower(coalesce(FolderPath, InitiatingProcessFolderPath, ""))
| extend ProcFile = tolower(coalesce(FileName, InitiatingProcessFileName, FileName, ""))
| extend OrigName = tolower(coalesce(ProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoInternalFileName, ""))
| extend Cmd = tolower(tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")))
// only consider binaries coming from an AppData folder (exclude System32)
| where Folder contains "\\appdata\\" and Folder !contains "\\windows\\system32\\"
// look for PowerShell indicators in version-info or command line (including encoded/IE/Invoke-Expression)
| where OrigName contains "powershell" or Cmd contains "powershell" or Cmd contains "-enc" or Cmd contains "encodedcommand" or Cmd contains "invoke-expression" or Cmd contains "iex"
// exclude legitimate powershell.exe by filename
| where ProcFile !contains "powershell"
// reduce noisy results: focus on filenames seen on limited number of devices (likely masquerades)
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count(), Devices = dcount(DeviceName), UniqueProcIds = dcount(coalesce(ProcessId, InitiatingProcessId)) by ProcFile, OrigName, Folder, Sha256 = coalesce(SHA256, InitiatingProcessSHA256), MD5 = coalesce(MD5, InitiatingProcessMD5)
| where Devices <= 10
| order by FirstSeen desc
| take 50
fail476.56s0.0218
gpt-5-nano-high
svchost.exe
DeviceProcessEvents
| where (FolderPath contains "AppData" and not (FolderPath contains "System32")) or (InitiatingProcessFolderPath contains "AppData" and not (InitiatingProcessFolderPath contains "System32"))
| where (FileName contains "powershell" or InitiatingProcessFileName contains "powershell" or ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell")
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
| distinct DeviceName, FileName, FolderPath
fail139.14s0.0025
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0072
grok-3-beta
no answer
no query generatedfail50.00s0.0929
grok-3-mini-beta
taskhostw.exe
DeviceProcessEvents
| where FolderPath contains 'AppData' and not(FolderPath contains 'System32')
| where ProcessVersionInfoOriginalFileName contains 'powershell'
| distinct FileName
pass222.49s0.0029
o1-high
taskhostw.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| where FolderPath contains "AppData"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, SHA256
pass142.44s0.1654
o1-low
taskhostw.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe"
| where tolower(FolderPath) has "users" and tolower(FolderPath) has "appdata"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName, AccountDomain
| order by TimeGenerated desc
pass257.04s0.4173
o3-high
taskhostw.exe
// Detect PowerShell binaries that have been renamed and executed from a user's AppData folder
DeviceProcessEvents
| where ActionType == "ProcessCreated"                        // process start events only
// 1.  Identify files whose PE-metadata says they are PowerShell
| where tolower(ProcessVersionInfoInternalFileName) == "powershell.exe" or
       tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe"
// 2.  But the file on disk is not the legitimate name or path
| where tolower(FileName) != "powershell.exe"                  // masqueraded name
| where FolderPath has "\\appdata\\"                          // executed from the user profile
| where FolderPath !has "\\windows\\system32" and FolderPath !has "\\windows\\syswow64"
// 3.  Surface the masquerading filename
| project TimeGenerated, DeviceName, User = strcat(AccountDomain, "\\", AccountName), FileName,
          FolderPath, SHA256, Signed = InitiatingProcessSignatureStatus, CommandLine = ProcessCommandLine
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, FolderPath, SHA256, User, Signed
| order by LastSeen desc
pass124.19s0.0191
o3-mini-high
svchost.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32"
| where tolower(InitiatingProcessVersionInfoOriginalFileName) == "powershell.exe"
| where tolower(FileName) != "powershell.exe"
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessVersionInfoOriginalFileName
| limit 50
fail235.42s0.0234
o3-mini-low
svchost.exe
DeviceProcessEvents
| where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32"
| where tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessVersionInfoOriginalFileName) contains "powershell"
| project TimeGenerated, DeviceName, FileName, InitiatingProcessVersionInfoOriginalFileName, FolderPath, ProcessCommandLine, ProcessId
| sort by TimeGenerated desc
fail355.06s0.0373
o4-mini-high
taskhostw.exe
DeviceProcessEvents
// Processes launched from a user AppData folder (not the system path)
| where FolderPath has "\\Users\\" and FolderPath has "\\AppData\\" and not(FolderPath has "\\Windows\\System32\\")
// Identify entries where the original file name is PowerShell but the actual file name differs
| where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" and tolower(FileName) != "powershell.exe"
// Aggregate by the masquerade filename
| summarize Occurrences = count() by MasqueradeFile = FileName
| sort by Occurrences desc
pass5169.55s0.0362
o4-mini-low
taskhostw.exe
DeviceProcessEvents
| where FolderPath has "\\AppData\\"    // Running out of a user profile AppData folder
| where ProcessVersionInfoOriginalFileName endswith "powershell.exe"  // Internally still PowerShell
| where FileName != "powershell.exe"     // Exclude the real PowerShell binary name
| distinct FileName
pass141.01s0.0064