Question Analysis
A Windows endpoint recorded a command-line activity through cmd.exe that lists all running processes. Determine which built-in tool was executed to perform this action.
c5806a4f-62b8-4900-980b-c7ec004e9908
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
tasklist
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0420 |
| gpt-35-turbo | PowerShell | DeviceProcessEvents | where FileName == 'cmd.exe' and ProcessCommandLine contains 'tasklist' | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | Incorrect | 4 | 8.49s | 0.0101 |
| gpt-4-turbo-2024-04-09 | tasklist | DeviceProcessEvents
| where FileName =~ 'cmd.exe' and ProcessCommandLine has 'tasklist'
| project DeviceName, ProcessCommandLine, TimeGenerated | Correct | 2 | 14.65s | 0.0949 |
| gpt-4.1 | tasklist.exe | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where
FileName =~ "tasklist.exe"
or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("process list", "process get"))
or (FileName =~ "powershell.exe" and ProcessCommandLine has "Get-Process")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| summarize Count=count(), SampleCommand=any(ProcessCommandLine) by FileName
| order by Count desc | Correct | 4 | 19.12s | 0.0316 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0594 |
| gpt-4.1-mini | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where InitiatingProcessCommandLine has_any ("tasklist", "wmic process", "Get-Process")
| project Timestamp, DeviceName, InitiatingProcessCommandLine
| distinct Timestamp, DeviceName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 2 | 52.03s | 0.0042 |
| gpt-4.1-nano | tasklist | DeviceProcessEvents
| where FileName in ('cmd.exe', 'cmd')
| where ProcessCommandLine contains 'tasklist' or ProcessCommandLine contains '/tasklist' or ProcessCommandLine contains '/status'
| project DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCreationTime | Correct | 1 | 2.08s | 0.0005 |
| gpt-4o | tasklist.exe | DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
and InitiatingProcessCommandLine contains "tasklist"
| summarize ExecutedTool = any(FileName) by DeviceName, ProcessCreationTime | Correct | 1 | 2.58s | 0.0143 |
| gpt-5-high | tasklist | let ProcessListRegex = @"(?i)\b(tasklist(\.exe)?|(wmic(\.exe)?\s+(path\s+win32_process|process))|(qprocess(\.exe)?|query(\.exe)?\s+process)|((powershell|pwsh)(\.exe)?\b.*\bget-process\b))\b";
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where ProcessCommandLine matches regex ProcessListRegex or FileName matches regex @"(?i)^(tasklist|wmic|qprocess|query|powershell|pwsh)\.exe$"
| extend BuiltInTool = case(
FileName =~ "tasklist.exe" or ProcessCommandLine matches regex @"(?i)\btasklist(\.exe)?\b", "tasklist",
FileName =~ "wmic.exe" or ProcessCommandLine matches regex @"(?i)\bwmic(\.exe)?\s+(path\s+win32_process|process)\b", "wmic process",
FileName =~ "qprocess.exe" or ProcessCommandLine matches regex @"(?i)\b(qprocess(\.exe)?|query(\.exe)?\s+process)\b", "query process (qprocess)",
ProcessCommandLine matches regex @"(?i)\b(powershell|pwsh)(\.exe)?\b.*\bget-process\b", "PowerShell Get-Process",
"other"
)
| where BuiltInTool != "other"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, BuiltInTool
| order by TimeGenerated desc
// To summarize which tool was used per device/account, append:
// | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Events=count() by DeviceName, AccountName, BuiltInTool | Correct | 1 | 65.60s | 0.0493 |
| gpt-5-mini-high | tasklist | union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents
| extend ProcFile = tostring(coalesce(FileName, InitiatingProcessFileName)),
CmdLine = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields["CommandLine"])))
| where isnotempty(ProcFile) and tolower(ProcFile) endswith "cmd.exe"
| where isnotempty(CmdLine) and (
tolower(CmdLine) contains "tasklist" or
tolower(CmdLine) contains "wmic" or
tolower(CmdLine) contains "get-process" or
tolower(CmdLine) contains "powershell" or
tolower(CmdLine) contains "pslist"
)
| extend DetectedTool = case(
tolower(CmdLine) contains "tasklist", "tasklist",
tolower(CmdLine) contains "wmic", "wmic",
tolower(CmdLine) contains "get-process" or tolower(CmdLine) contains "powershell", "PowerShell (Get-Process)",
tolower(CmdLine) contains "pslist", "Sysinternals PsList",
"unknown"
)
| project TimeGenerated, DeviceName, AccountName = coalesce(AccountName, InitiatingProcessAccountName), ProcFile, CmdLine, DetectedTool
| sort by TimeGenerated desc
| take 100 | Correct | 2 | 40.58s | 0.0110 |
| gpt-5-mini-low | tasklist | // Search for cmd.exe invoking commands that list processes
let suspects = DeviceProcessEvents
| where ProcessCommandLine has_cs "cmd.exe" or InitiatingProcessFileName has_cs "cmd.exe"
| where ProcessCommandLine has_any ("tasklist","wmic process","wmic.exe","powershell -command","powershell.exe -command","powershell -c","Get-Process")
| project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, ProcessCreationTime;
let deviceEventsMatches = DeviceEvents
| where ProcessCommandLine has_cs "cmd.exe" or InitiatingProcessFileName has_cs "cmd.exe"
| where ProcessCommandLine has_any ("tasklist","wmic process","wmic.exe","powershell -command","powershell.exe -command","powershell -c","Get-Process")
| project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName;
union suspects, deviceEventsMatches
| extend ExecutedTool = case(
tolower(ProcessCommandLine) contains "tasklist", "tasklist",
tolower(ProcessCommandLine) contains "wmic", "wmic",
tolower(ProcessCommandLine) contains "get-process" or tolower(ProcessCommandLine) contains "powershell", "powershell",
"other")
| sort by TimeGenerated desc
| distinct DeviceName, TimeGenerated, ProcessId, ExecutedTool, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| take 100 | Correct | 1 | 15.20s | 0.0034 |
| gpt-5-mini-medium | PowerShell | // Find cmd.exe events that executed commands to list processes and identify which built-in tool was used
DeviceEvents
| where FileName =~ "cmd.exe" or InitiatingProcessFileName =~ "cmd.exe"
// Time range will be applied externally by the query runtime
| where tolower(tostring(ProcessCommandLine)) contains "tasklist"
or tolower(tostring(ProcessCommandLine)) contains "wmic"
or tolower(tostring(ProcessCommandLine)) contains "tlist"
or tolower(tostring(ProcessCommandLine)) contains "get-process"
or tolower(tostring(ProcessCommandLine)) contains "/c tasklist"
or tolower(tostring(ProcessCommandLine)) contains "/c wmic"
or tolower(tostring(ProcessCommandLine)) contains "/c tlist"
or tolower(tostring(ProcessCommandLine)) contains "/c powershell"
or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic"
or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tasklist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c wmic"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tlist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c powershell"
| extend DetectedTool = case(
tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist", "tasklist",
tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic", "wmic",
tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist", "tlist",
tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell", "powershell Get-Process",
"unknown")
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, AccountName, ActionType, DetectedTool
| order by TimeGenerated desc
// Also include a summarized view
| union (
// summary
DeviceEvents
| where FileName =~ "cmd.exe" or InitiatingProcessFileName =~ "cmd.exe"
| where tolower(tostring(ProcessCommandLine)) contains "tasklist"
or tolower(tostring(ProcessCommandLine)) contains "wmic"
or tolower(tostring(ProcessCommandLine)) contains "tlist"
or tolower(tostring(ProcessCommandLine)) contains "get-process"
or tolower(tostring(ProcessCommandLine)) contains "/c tasklist"
or tolower(tostring(ProcessCommandLine)) contains "/c wmic"
or tolower(tostring(ProcessCommandLine)) contains "/c tlist"
or tolower(tostring(ProcessCommandLine)) contains "/c powershell"
or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic"
or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tasklist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c wmic"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c tlist"
or tolower(tostring(InitiatingProcessCommandLine)) contains "/c powershell"
| extend DetectedTool = case(
tolower(tostring(ProcessCommandLine)) contains "tasklist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tasklist", "tasklist",
tolower(tostring(ProcessCommandLine)) contains "wmic" or tolower(tostring(InitiatingProcessCommandLine)) contains "wmic", "wmic",
tolower(tostring(ProcessCommandLine)) contains "tlist" or tolower(tostring(InitiatingProcessCommandLine)) contains "tlist", "tlist",
tolower(tostring(ProcessCommandLine)) contains "get-process" or tolower(tostring(InitiatingProcessCommandLine)) contains "get-process" or tolower(tostring(ProcessCommandLine)) contains "powershell" or tolower(tostring(InitiatingProcessCommandLine)) contains "powershell", "powershell Get-Process",
"unknown")
| summarize Count = count() by DetectedTool, DeviceName
)
| limit 500 | Incorrect | 2 | 23.76s | 0.0071 |
| gpt-5-nano-high | tasklist | DeviceProcessEvents
| where TimeGenerated >= ago(1d)
| where tolower(InitiatingProcessFileName) == 'cmd.exe'
| where isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) contains 'tasklist'
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCreationTime, ReportId, _ResourceId | Correct | 1 | 31.25s | 0.0021 |
| gpt-5-nano-medium | tasklist.exe | let cmdListEvents = DeviceProcessEvents
| where tolower(InitiatingProcessFileName) == "cmd.exe"
| where (tolower(FileName) contains "tasklist" or tolower(ProcessCommandLine) contains "tasklist" or tolower(InitiatingProcessCommandLine) contains "tasklist")
| extend BuiltInTool = iif(tolower(FileName) contains "tasklist", "tasklist.exe", iif(tolower(ProcessCommandLine) contains "tasklist", "tasklist.exe", iif(tolower(InitiatingProcessCommandLine) contains "tasklist", "tasklist.exe", "Unknown")))
| where BuiltInTool != "Unknown"
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, ProcessId, InitiatingProcessId, BuiltInTool
; cmdListEvents | Correct | 1 | 44.41s | 0.0019 |
| grok-3-beta | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'cmd.exe'
| where ProcessCommandLine contains 'tasklist'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessCreationTime, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 10.27s | 0.0201 |
| grok-3-mini-beta | tasklist | DeviceProcessEvents
| where FileName =~ 'cmd.exe'
| where ProcessCommandLine contains 'tasklist' or ProcessCommandLine contains 'wmic process'
| extend Tool = extract(@'(\btasklist\b|\bwmic process\b)', 1, ProcessCommandLine)
| summarize DistinctTools = make_set(Tool) by TimeGenerated, DeviceName, FileName | Correct | 2 | 25.48s | 0.0030 |
| o1-high | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
// Filter to known built-in tools typically used to list running processes
| where FileName in~ ("tasklist.exe", "wmic.exe")
// Optionally refine to further confirm the process-listing context
// by inspecting the command line for relevant keywords (uncomment line below if needed)
// | where ProcessCommandLine has_any ("list", "tasklist", "process")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 32.52s | 0.2029 |
| o1-low | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where FileName in~ ("tasklist.exe", "wmic.exe")
| project TimeGenerated, DeviceId, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 22.03s | 0.1919 |
| o3-high | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe" // launched from command prompt
| where FileName in ("tasklist.exe", "wmic.exe") // known process-enumeration tools
| where FileName == "tasklist.exe" // tasklist – always lists processes
or (FileName == "wmic.exe" and // wmic – make sure it was used to list processes
ProcessCommandLine has "process" and ProcessCommandLine has "list")
| extend ToolExecuted = FileName
| summarize FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
DevicesAffected = dcount(DeviceId)
by ToolExecuted
| order by LastSeen desc | Correct | 3 | 124.09s | 0.0526 |
| o3-mini-high | tasklist | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where ProcessCommandLine contains "tasklist"
| project TimeGenerated, DeviceName, ProcessId, InitiatingProcessFileName, ProcessCommandLine
| Correct | 1 | 10.04s | 0.0088 |
| o3-mini-low | tasklist | DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has "tasklist" or ProcessCommandLine has "tasklist"
| project TimeGenerated, DeviceName, FileName, InitiatingProcessCommandLine, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 51.46s | 0.0111 |
| o4-mini-high | tasklist | DeviceProcessEvents
| where FileName == "cmd.exe"
| where ProcessCommandLine has_any ("tasklist","wmic","powershell","Get-Process")
| extend Tool = case(
ProcessCommandLine contains "tasklist", "tasklist",
ProcessCommandLine contains "wmic", "wmic",
ProcessCommandLine contains "Get-Process", "Get-Process",
ProcessCommandLine contains "powershell", "PowerShell",
"Unknown")
| where Tool != "Unknown"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, Tool
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, InitiatingProcessAccountName, Tool
| order by Count desc | Correct | 1 | 21.99s | 0.0099 |
| o4-mini-low | tasklist.exe | DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where ProcessCommandLine has "tasklist" or ProcessCommandLine has_cs "wmic process list"
| summarize Occurrences = count() by BuiltInTool = strcat(FolderPath, "\\", FileName)
| project BuiltInTool, Occurrences | Correct | 1 | 26.20s | 0.0100 |