// question

A Windows host executed an ICMP-based network reconnaissance using a looping instruction in cmd.exe. Identify the exact command line that was used to perform the ping sweep.

Reference KQL answer and model-by-model comparison.

6db1f57f-d1d5-4223-8a66-55c9c65a9592
question id
19/23
models correct
1
valid answer
83%
success rate
// reference answer

Human-validated correct answer for this question.

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "cmd.exe"
| where ProcessCommandLine contains "for" and ProcessCommandLine contains "ping"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName
pass18.68s0.0030
gpt-35-turbo
ping -n 5 127.0.0.1 >nul 2>&1
DeviceProcessEvents
| where ActionType == 'ProcessCreated' and ProcessCommandLine contains 'ping' and ProcessCommandLine contains '-t' and ProcessCommandLine contains 'cmd.exe'
fail12.08s0.0030
gpt-4-turbo-2024-04-09
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where FileName == 'cmd.exe' and ProcessCommandLine has 'for' and ProcessCommandLine has 'ping'
| project DeviceName, ProcessCommandLine, TimeGenerated
| distinct ProcessCommandLine
pass17.70s0.0490
gpt-4.1
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where tolower(FileName) == "cmd.exe" or tolower(InitiatingProcessFileName) == "cmd.exe"
| where (
    (tolower(ProcessCommandLine) has "for" and tolower(ProcessCommandLine) has "ping" and ProcessCommandLine matches regex @"for.+(%%?\w).+ping")
    or
    (tolower(InitiatingProcessCommandLine) has "for" and tolower(InitiatingProcessCommandLine) has "ping" and InitiatingProcessCommandLine matches regex @"for.+(%%?\w).+ping")
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass530.65s0.0606
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0529
gpt-4.1-mini
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where InitiatingProcessParentFileName == "cmd.exe"
| where ProcessCommandLine contains "ping"
| where ProcessCommandLine matches regex @".*(for|while|foreach).* ping.*"
| project DeviceName, ProcessCommandLine, TimeGenerated
| order by TimeGenerated desc
pass26.06s0.0042
gpt-4.1-nano
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where FileName == 'cmd.exe'
| where ProcessCommandLine has_any ('for', 'while') or ProcessCommandLine contains 'ping'
| project DeviceName, ProcessId, ProcessCommandLine, ProcessCreationTime, InitiatingProcessFileName
pass325.47s0.0010
gpt-4o
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where InitiatingProcessFileName == "cmd.exe"
| where InitiatingProcessCommandLine has_all ("ping", "-n", "&&") or InitiatingProcessCommandLine has_any ("for", "loop", "%%")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
pass26.30s0.0378
gpt-5-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
let ping_loop_regex = @"\bfor\s+/(l|f)\b[^\r\n]*\bdo\b[^\r\n]*\bping\b|\bset\s+/a\b[^\r\n]*&[^\r\n]*\bping\b[^\r\n]*&[^\r\n]*\bgoto\b";
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "cmd.exe"
| where isnotempty(ProcessCommandLine)
| extend pcl = tolower(ProcessCommandLine)
| where pcl has "ping" and (pcl matches regex ping_loop_regex)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Executions=count() by DeviceName, AccountDomain, AccountName, ProcessCommandLine
| order by LastSeen desc
pass168.05s0.0438
gpt-5-mini-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
let cmdSources = (
    DeviceProcessEvents
    | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
    | project Timestamp, DeviceName, FileName, ProcessId, CmdLine, InitiatingProcessFileName
)
| union (
    DeviceEvents
    | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
    | project Timestamp, DeviceName, FileName, ProcessId, CmdLine, InitiatingProcessFileName
);

cmdSources
| where isnotempty(CmdLine)
| where (FileName has_cs "cmd.exe") or (InitiatingProcessFileName has_cs "cmd.exe") or tolower(CmdLine) contains "cmd.exe"
| where tolower(CmdLine) contains "ping"
| where (tolower(CmdLine) contains "for /l" or tolower(CmdLine) contains "for /f" or tolower(CmdLine) contains "for %")
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Examples=make_set(CmdLine, 20) by DeviceName, FileName, ProcessId
| mv-expand Examples
| project DeviceName, FileName, ProcessId, PingSweepCommandLine=Examples, FirstSeen, LastSeen
| order by FirstSeen desc
pass565.28s0.0185
gpt-5-mini-low
cmd.exe /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
// Find cmd.exe-based ping sweeps using looping constructs
let loopPingRegex = @"(?i)\bfor\b.*\bping\b|\bping\b.*\bfor\b";
// Primary: process creation events (best fidelity)
let proc = DeviceProcessEvents
| where FileName has_cs "cmd.exe" or ProcessCommandLine has_cs "cmd.exe"
| where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex loopPingRegex
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, CommandLine = ProcessCommandLine;
// Supplementary: other device events that may contain process command lines
let dev = DeviceEvents
| where (FileName has_cs "cmd.exe") or (ProcessCommandLine has_cs "cmd.exe") or (InitiatingProcessFileName has_cs "cmd.exe")
| extend ProcessId = coalesce(ProcessId, InitiatingProcessId), CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| where isnotempty(CommandLine) and CommandLine matches regex loopPingRegex
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, CommandLine;

union isfuzzy=true proc, dev
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices=make_set(DeviceName), Users=make_set(AccountName), Count=count(), PIDs=make_set(ProcessId) by CommandLine
| order by FirstSeen desc
| project FirstSeen, LastSeen, Count, Devices, Users, PIDs, CommandLine
| take 100

// NOTE: TimeGenerated/time range is applied by the caller/environment. If needed, add an explicit where TimeGenerated between(...) filter.
pass237.26s0.0098
gpt-5-mini-medium
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
union DeviceProcessEvents, DeviceEvents
| where FileName =~ "cmd.exe" or ProcessCommandLine has "cmd.exe"
| where ProcessCommandLine has "ping"
| where (
    tolower(ProcessCommandLine) contains "for" 
    or ProcessCommandLine contains "%i"
    or ProcessCommandLine contains "%%i"
    or tolower(ProcessCommandLine) contains " do "
  )
// get the most recent record for each distinct command line
| summarize arg_max(TimeGenerated, *) by ProcessCommandLine
| project TimeGenerated, DeviceName, ProcessId, InitiatingProcessId, InitiatingProcessFileName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass136.26s0.0077
gpt-5-nano-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where tolower(InitiatingProcessFileName) == "cmd.exe"
| where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine contains "for /l"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
| take 5
pass137.73s0.0022
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0073
grok-3-beta
no answer
no query generatedfail50.00s0.1014
grok-3-mini-beta
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where FileName =~ 'cmd.exe'
| where ProcessCommandLine contains 'ping' and ProcessCommandLine contains 'for'
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| limit 10
pass112.76s0.0016
o1-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where ActionType =~ "ProcessCreated"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("ping", "for")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine
| order by TimeGenerated desc
pass147.18s0.2618
o1-low
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "cmd.exe"
| where ProcessCommandLine contains "for /L" and ProcessCommandLine contains "ping"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
pass137.96s0.2467
o3-high
cmd.exe /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where TimeGenerated between (ago(7d) .. now())   // Portal/function time-range overrides this
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_any ("for /l", "FOR /L")
| where ProcessCommandLine has "ping"
| where ProcessCommandLine matches regex @"(?i)for\s+/l\s+%+[a-z0-9]+\s+in\s+\([^)]*\)\s+do\s+ping"
| project TimeGenerated,
          DeviceName,
          AccountName,
          ProcessCommandLine
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), ExecCount=count() by DeviceName, AccountName, ProcessCommandLine
| order by LastSeen desc
pass132.08s0.0240
o3-mini-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine contains "ping" and InitiatingProcessCommandLine contains "for /l"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass115.01s0.0148
o3-mini-low
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine has "ping"
| where InitiatingProcessCommandLine has "for"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| sort by TimeGenerated desc
pass127.20s0.0145
o4-mini-high
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
// Apply your time range filter here (e.g. | where TimeGenerated between (start .. end))
| where FileName == "cmd.exe"
| where ProcessCommandLine matches regex @"(?i)for\s+/?l.*ping"
| project TimeGenerated, DeviceName, ProcessCommandLine
| sort by TimeGenerated desc
pass190.18s0.0144
o4-mini-low
"cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
DeviceProcessEvents
| where FileName == "cmd.exe"
| where ProcessCommandLine has "for /L" and ProcessCommandLine has "ping"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| sort by TimeGenerated asc
pass2105.38s0.0214