// question
A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device.
Reference KQL answer and model-by-model comparison.
ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
question id
9/23
models correct
1
valid answer
39%
success rate
// reference answer
Human-validated correct answer for this question.
taskhostw.exe
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | svchost.exe | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FolderPath contains "AppData" | where FolderPath !contains "System32" | project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName | fail | 2 | 22.64s | 0.0107 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2288 |
| gpt-4.1 | taskhostw.exe | DeviceProcessEvents | where (ProcessVersionInfoInternalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "powershell.exe") // Exclude standard System32 path | where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "windows\\system32") | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, ProcessVersionInfoCompanyName, ProcessVersionInfoFileDescription, ProcessVersionInfoOriginalFileName | order by TimeGenerated desc | pass | 2 | 10.54s | 0.0224 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0386 |
| gpt-4.1-mini | svchost.exe | DeviceProcessEvents
| where FolderPath contains "AppData"
| where FileName != "powershell.exe" and
(InitiatingProcessVersionInfoOriginalFileName == "powershell.exe" or
InitiatingProcessVersionInfoFileDescription contains "PowerShell")
| summarize count() by FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| project FileName, FolderPath, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath
| take 10 | fail | 1 | 5.98s | 0.0023 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0015 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0459 |
| gpt-5-high | taskhostw.exe | let targetDevice = ""; // optionally set to a specific DeviceName or DeviceId
let familiar_host_names = dynamic(["svchost.exe","services.exe","lsass.exe","conhost.exe","spoolsv.exe","rundll32.exe","dllhost.exe","taskhostw.exe","taskhostex.exe","winlogon.exe","smss.exe","csrss.exe","wininit.exe","ctfmon.exe","explorer.exe","searchhost.exe","werfault.exe","sihost.exe"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Identify the binary as PowerShell (original file) even if renamed
| where tolower(ProcessVersionInfoOriginalFileName) in ("powershell.exe","pwsh.exe")
or ProcessVersionInfoFileDescription has_cs "Windows PowerShell"
or ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b"
// Not from legitimate Windows directories; specifically from user AppData
| where tostring(FolderPath) != "" and tolower(FolderPath) contains "\\users\\" and tolower(FolderPath) contains "\\appdata\\"
| where not(tolower(FolderPath) startswith "c:\\windows\\system32" or tolower(FolderPath) startswith "c:\\windows\\syswow64")
// Optionally scope to a device
| where targetDevice == "" or DeviceName =~ targetDevice or DeviceId == targetDevice
// Must be masquerading under a familiar Windows host name, not the legit powershell.exe name
| where tolower(FileName) != "powershell.exe" and tolower(FileName) in (familiar_host_names)
| summarize firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated), execCount=count() by DeviceName, FileName, FolderPath, SHA1
| order by lastSeen desc | pass | 1 | 83.61s | 0.0465 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0226 |
| gpt-5-mini-low | taskhostw.exe | // Look for processes originating from AppData (not System32) that appear to be PowerShell or copies of it
DeviceProcessEvents
| where tolower(FolderPath) has "appdata" and not(tolower(FolderPath) has "system32")
// Indicators of PowerShell or a PowerShell binary renamed/maliciously placed in AppData
| where (
tolower(ProcessVersionInfoOriginalFileName) has "powershell"
or tolower(ProcessVersionInfoInternalFileName) has "powershell"
or tolower(FileName) has_any ("powershell","pwsh")
or tolower(ProcessCommandLine) has_any ("powershell","pwsh","-enc","-encodedcommand","-nop","-noninteractive","-w hidden","-windowstyle hidden")
)
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, SHA256, MD5
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyCommandLines = make_set(ProcessCommandLine, 5), AnyInitiators = make_set(InitiatingProcessFileName, 5) by DeviceName, FileName, FolderPath, ProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, SHA256, MD5
| order by LastSeen desc
| take 50 | pass | 2 | 30.57s | 0.0069 |
| gpt-5-mini-medium | calc.exe | union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents | extend Folder = tolower(coalesce(FolderPath, InitiatingProcessFolderPath, "")) | extend ProcFile = tolower(coalesce(FileName, InitiatingProcessFileName, FileName, "")) | extend OrigName = tolower(coalesce(ProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoOriginalFileName, ProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoInternalFileName, "")) | extend Cmd = tolower(tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, ""))) // only consider binaries coming from an AppData folder (exclude System32) | where Folder contains "\\appdata\\" and Folder !contains "\\windows\\system32\\" // look for PowerShell indicators in version-info or command line (including encoded/IE/Invoke-Expression) | where OrigName contains "powershell" or Cmd contains "powershell" or Cmd contains "-enc" or Cmd contains "encodedcommand" or Cmd contains "invoke-expression" or Cmd contains "iex" // exclude legitimate powershell.exe by filename | where ProcFile !contains "powershell" // reduce noisy results: focus on filenames seen on limited number of devices (likely masquerades) | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count(), Devices = dcount(DeviceName), UniqueProcIds = dcount(coalesce(ProcessId, InitiatingProcessId)) by ProcFile, OrigName, Folder, Sha256 = coalesce(SHA256, InitiatingProcessSHA256), MD5 = coalesce(MD5, InitiatingProcessMD5) | where Devices <= 10 | order by FirstSeen desc | take 50 | fail | 4 | 76.56s | 0.0218 |
| gpt-5-nano-high | svchost.exe | DeviceProcessEvents | where (FolderPath contains "AppData" and not (FolderPath contains "System32")) or (InitiatingProcessFolderPath contains "AppData" and not (InitiatingProcessFolderPath contains "System32")) | where (FileName contains "powershell" or InitiatingProcessFileName contains "powershell" or ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "powershell") | project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine | distinct DeviceName, FileName, FolderPath | fail | 1 | 39.14s | 0.0025 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0072 |
| grok-3-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0929 |
| grok-3-mini-beta | taskhostw.exe | DeviceProcessEvents | where FolderPath contains 'AppData' and not(FolderPath contains 'System32') | where ProcessVersionInfoOriginalFileName contains 'powershell' | distinct FileName | pass | 2 | 22.49s | 0.0029 |
| o1-high | taskhostw.exe | DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessVersionInfoOriginalFileName == "PowerShell.EXE" | where FolderPath contains "AppData" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, SHA256 | pass | 1 | 42.44s | 0.1654 |
| o1-low | taskhostw.exe | DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" | where tolower(FolderPath) has "users" and tolower(FolderPath) has "appdata" | project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName, AccountDomain | order by TimeGenerated desc | pass | 2 | 57.04s | 0.4173 |
| o3-high | taskhostw.exe | // Detect PowerShell binaries that have been renamed and executed from a user's AppData folder
DeviceProcessEvents
| where ActionType == "ProcessCreated" // process start events only
// 1. Identify files whose PE-metadata says they are PowerShell
| where tolower(ProcessVersionInfoInternalFileName) == "powershell.exe" or
tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe"
// 2. But the file on disk is not the legitimate name or path
| where tolower(FileName) != "powershell.exe" // masqueraded name
| where FolderPath has "\\appdata\\" // executed from the user profile
| where FolderPath !has "\\windows\\system32" and FolderPath !has "\\windows\\syswow64"
// 3. Surface the masquerading filename
| project TimeGenerated, DeviceName, User = strcat(AccountDomain, "\\", AccountName), FileName,
FolderPath, SHA256, Signed = InitiatingProcessSignatureStatus, CommandLine = ProcessCommandLine
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, FolderPath, SHA256, User, Signed
| order by LastSeen desc | pass | 1 | 24.19s | 0.0191 |
| o3-mini-high | svchost.exe | DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32" | where tolower(InitiatingProcessVersionInfoOriginalFileName) == "powershell.exe" | where tolower(FileName) != "powershell.exe" | project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessVersionInfoOriginalFileName | limit 50 | fail | 2 | 35.42s | 0.0234 |
| o3-mini-low | svchost.exe | DeviceProcessEvents | where tolower(FolderPath) contains "appdata" and tolower(FolderPath) !contains "system32" | where tolower(ProcessCommandLine) contains "powershell" or tolower(InitiatingProcessVersionInfoOriginalFileName) contains "powershell" | project TimeGenerated, DeviceName, FileName, InitiatingProcessVersionInfoOriginalFileName, FolderPath, ProcessCommandLine, ProcessId | sort by TimeGenerated desc | fail | 3 | 55.06s | 0.0373 |
| o4-mini-high | taskhostw.exe | DeviceProcessEvents // Processes launched from a user AppData folder (not the system path) | where FolderPath has "\\Users\\" and FolderPath has "\\AppData\\" and not(FolderPath has "\\Windows\\System32\\") // Identify entries where the original file name is PowerShell but the actual file name differs | where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" and tolower(FileName) != "powershell.exe" // Aggregate by the masquerade filename | summarize Occurrences = count() by MasqueradeFile = FileName | sort by Occurrences desc | pass | 5 | 169.55s | 0.0362 |
| o4-mini-low | taskhostw.exe | DeviceProcessEvents | where FolderPath has "\\AppData\\" // Running out of a user profile AppData folder | where ProcessVersionInfoOriginalFileName endswith "powershell.exe" // Internally still PowerShell | where FileName != "powershell.exe" // Exclude the real PowerShell binary name | distinct FileName | pass | 1 | 41.01s | 0.0064 |