Question Analysis
A suspicious BITS transfer was orchestrated via bitsadmin.exe on Windows, creating a job to download and then execute a payload. Investigate the process event logs to determine what custom job name was specified when the BITS job was created.
62a06ec5-5754-47d2-bcfc-123d8314c6ae
Question ID
7/16
Models Correct
1
Valid Answer
44%
Success Rate
Reference Answer
Human-validated correct answer for this question
AtomicBITS
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | AtomicBITS | DeviceProcessEvents
| where FileName =~ "bitsadmin.exe"
| where ProcessCommandLine contains "/create" or ProcessCommandLine contains "/addfile"
| extend JobName_create = extract(@"/create\s+([^\s]+)", 1, ProcessCommandLine)
| extend JobName_addfile = extract(@"/addfile\s+([^\s]+)", 1, ProcessCommandLine)
| extend CustomJobName = coalesce(JobName_create, JobName_addfile)
| where isnotnull(CustomJobName)
| project Timestamp, DeviceName, ProcessCommandLine, CustomJobName | Correct | 1 | 10.24s | 0.0045 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0121 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2233 |
| gpt-4.1 | AtomicBITS | DeviceProcessEvents
| where FileName =~ "bitsadmin.exe"
| where ProcessCommandLine has "/create"
| extend JobName = extract(@"/create\s+([^\s]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, JobName
| where isnotempty(JobName)
| sort by TimeGenerated desc | Correct | 1 | 4.30s | 0.0110 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0406 |
| gpt-4.1-mini | AtomicBITS | DeviceProcessEvents
| where FileName =~ "bitsadmin.exe"
| where ProcessCommandLine contains "create"
| extend JobName = extract(@"create\s+(\S+)", 1, ProcessCommandLine)
| project DeviceName, TimeGenerated, JobName, InitiatingProcessAccountName, ProcessCommandLine
| where isnotempty(JobName)
| sort by TimeGenerated desc | Correct | 1 | 25.77s | 0.0023 |
| gpt-4.1-nano | None | DeviceProcessEvents
| where FileName endswith 'bitsadmin.exe'
| where ProcessCommandLine contains 'create'
| extend JobName = extract(@'\s/\s*(\S+)$', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, JobName | Incorrect | 5 | 26.40s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0597 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0876 |
| grok-3-mini-beta | AtomicBITS | DeviceProcessEvents
| where FileName =~ 'bitsadmin.exe'
| where ProcessCommandLine contains '/create'
| extend JobName = extract(@'/create\s+([^\s]+)', 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, JobName
| summarize JobNames = makeset(JobName) by DeviceName | Correct | 1 | 13.77s | 0.0015 |
| o1-high | AtomicBITS | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "bitsadmin.exe"
| where ProcessCommandLine has "/create"
// Use a regex parse that captures either a quoted or unquoted job name
| parse kind=regex ProcessCommandLine with ".*bitsadmin\\.exe\\s+/create\\s+(\"[^\"]+\"|\\S+).*" JobName
// Clean up any surrounding double-quotes
| extend CustomJobName = trim('"', JobName)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, CustomJobName | Correct | 3 | 92.64s | 0.5674 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.9217 |
| o3-mini-high | AtomicBITS | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) == "bitsadmin.exe" or tolower(FileName) == "bitsadmin.exe"
| where ProcessCommandLine has "/create"
| extend CustomJobName = extract(@"/create\s+(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, CustomJobName
| order by TimeGenerated desc | Correct | 1 | 11.13s | 0.0084 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0347 |
| o4-mini-high | AtomicBITS | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has_cs "bitsadmin.exe"
| where ProcessCommandLine has_cs "/create"
| extend JobName = extract('(?i)/create\\s+"?([^"\\s]+)"?', 1, ProcessCommandLine)
| where isnotempty(JobName)
| project TimeGenerated, DeviceName, AccountName, ProcessId, JobName, ProcessCommandLine | Correct | 4 | 150.26s | 0.0429 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0445 |