Question Analysis
A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device.
ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
taskhostw.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | svchost.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FolderPath contains "AppData"
| where FolderPath !contains "System32"
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName | Incorrect | 2 | 22.64s | 0.0107 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2288 |
| gpt-4.1 | taskhostw.exe | DeviceProcessEvents
| where (ProcessVersionInfoInternalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "powershell.exe")
// Exclude standard System32 path
| where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "windows\\system32")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoFileDescription, ProcessVersionInfoOriginalFileName
| order by TimeGenerated desc | Correct | 2 | 10.54s | 0.0224 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0386 |
| gpt-4.1-mini | svchost.exe | DeviceProcessEvents
| where FolderPath contains "AppData"
| where FileName != "powershell.exe" and
(InitiatingProcessVersionInfoOriginalFileName == "powershell.exe" or
InitiatingProcessVersionInfoFileDescription contains "PowerShell")
| summarize count() by FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| project FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| take 10 | Incorrect | 1 | 5.98s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0459 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0929 |
| grok-3-mini-beta | taskhostw.exe | DeviceProcessEvents
| where FolderPath contains 'AppData' and not(FolderPath contains 'System32')
| where ProcessVersionInfoOriginalFileName contains 'powershell'
| distinct FileName | Correct | 2 | 22.49s | 0.0029 |
| o1-high | taskhostw.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| where FolderPath contains "AppData"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, SHA256 | Correct | 1 | 42.44s | 0.1654 |
| o1-low | taskhostw.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe"
| where tolower(FolderPath) has "users" and tolower(FolderPath) has "appdata"
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName, AccountDomain
| order by TimeGenerated desc | Correct | 2 | 57.04s | 0.4173 |
| o3-mini-high | svchost.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32"
| where tolower(InitiatingProcessVersionInfoOriginalFileName) == "powershell.exe"
| where tolower(FileName) != "powershell.exe"
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessVersionInfoOriginalFileName
| limit 50 | Incorrect | 2 | 35.42s | 0.0234 |
| o3-mini-low | svchost.exe | DeviceProcessEvents
| where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32"
| where tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessVersionInfoOriginalFileName) contains "powershell"
| project TimeGenerated, DeviceName, FileName, InitiatingProcessVersionInfoOriginalFileName, FolderPath, ProcessCommandLine, ProcessId
| sort by TimeGenerated desc | Incorrect | 3 | 55.06s | 0.0373 |
| o4-mini-high | taskhostw.exe | DeviceProcessEvents
// Processes launched from a user AppData folder (not the system path)
| where FolderPath has "\\Users\\" and FolderPath has "\\AppData\\" and not(FolderPath has "\\Windows\\System32\\")
// Identify entries where the original file name is PowerShell but the actual file name differs
| where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" and tolower(FileName) != "powershell.exe"
// Aggregate by the masquerade filename
| summarize Occurrences = count() by MasqueradeFile = FileName
| sort by Occurrences desc | Correct | 5 | 169.55s | 0.0362 |
| o4-mini-low | taskhostw.exe | DeviceProcessEvents
| where FolderPath has "\\AppData\\" // Running out of a user profile AppData folder
| where ProcessVersionInfoOriginalFileName endswith "powershell.exe" // Internally still PowerShell
| where FileName != "powershell.exe" // Exclude the real PowerShell binary name
| distinct FileName | Correct | 1 | 41.01s | 0.0064 |