Question Analysis
A threat actor on a Windows system crafted and registered a service named almost identically to the standard time service, but redirecting execution to a custom script. Review the logging data to determine which native command-line tool was used to perform this action. What utility was invoked?
b721c6ef-472c-4263-a0d9-37f1f4ecff66
Question ID
7/16
Models Correct
1
Valid Answer
44%
Success Rate
Reference Answer
Human-validated correct answer for this question
sc
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0532 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0110 |
| gpt-4-turbo-2024-04-09 | sc | DeviceProcessEvents
| where FileName has_any ('sc.exe', 'svchost.exe')
| where ProcessCommandLine contains 'create' or ProcessCommandLine contains 'config' or ProcessCommandLine contains 'delete'
| summarize Count=count() by ProcessCommandLine, InitiatingProcessFileName
| order by Count desc | Correct | 1 | 14.63s | 0.0552 |
| gpt-4.1 | sc.exe | DeviceProcessEvents
| where Timestamp >= ago(7d) // Adjust as needed for your investigation window
| where FileName in~ ("sc.exe", "powershell.exe", "cmd.exe", "reg.exe")
| where ProcessCommandLine has_any ("create", "config", "service")
| where ProcessCommandLine matches regex @"(?i)w?32?time"
| project Timestamp, DeviceName, FileName, ProcessCommandLine | Correct | 1 | 7.84s | 0.0124 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0413 |
| gpt-4.1-mini | sc | DeviceProcessEvents
| where ProcessCommandLine has_any ("create", "config", "delete")
| where ProcessCommandLine contains_cs "time" or ProcessCommandLine contains_cs "w32time" or ProcessCommandLine contains_cs "tim"
| where InitiatingProcessFileName in ("sc.exe", "powershell.exe", "cmd.exe", "New-Service", "net.exe") or FileName in ("sc.exe", "powershell.exe", "cmd.exe", "net.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine
| sort by TimeGenerated desc
| distinct InitiatingProcessFileName, ProcessCommandLine, DeviceName, TimeGenerated | Correct | 2 | 8.54s | 0.0047 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0494 |
| grok-3-beta | sc | let TimeRange = ago(30d);
union DeviceRegistryEvents, DeviceProcessEvents, DeviceEvents
| where Timestamp > TimeRange
| where (Type == 'DeviceRegistryEvents' and RegistryKey contains 'SYSTEM\\CurrentControlSet\\Services' and RegistryKey matches regex '(?i)(w32time|time|timeservice)')
or (Type == 'DeviceProcessEvents' and ProcessCommandLine matches regex '(?i)(sc\\s+create|sc\\s+config|New-Service|Set-Service|reg\\s+add|reg\\s+set)' and ProcessCommandLine matches regex '(?i)(w32time|time|timeservice)')
or (Type == 'DeviceEvents' and InitiatingProcessCommandLine matches regex '(?i)(sc\\s+create|sc\\s+config|New-Service|Set-Service|reg\\s+add|reg\\s+set)' and InitiatingProcessCommandLine matches regex '(?i)(w32time|time|timeservice)')
| where InitiatingProcessFileName matches regex '(?i)(sc\\.exe|reg\\.exe|powershell\\.exe|cmd\\.exe)'
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData, ProcessCommandLine, Type, ActionType
| order by Timestamp desc | Correct | 5 | 53.72s | 0.1061 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0071 |
| o1-high | sc.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("sc.exe","reg.exe","cmd.exe","powershell.exe","wmic.exe","net.exe")
| where ProcessCommandLine has_any ("create", "config", "service", "binPath", "w32time")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 47.99s | 0.2770 |
| o1-low | sc | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(ProcessCommandLine) has_any ("sc create", "sc config")
and tolower(ProcessCommandLine) contains "time"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName
| order by TimeGenerated desc | Correct | 1 | 36.70s | 0.2778 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0490 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0500 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0536 |
| o4-mini-low | sc | DeviceProcessEvents
| where ProcessCommandLine has_cs "sc create"
| project TimeGenerated, DeviceName, Account=InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 41.83s | 0.0126 |