// question

A Windows host shows a process launch with an extremely obfuscated command line that dynamically builds and invokes code at runtime. Which process name was used to execute this payload?

Reference KQL answer and model-by-model comparison.

8b3f4ed6-077b-4bdd-891c-2d237f19410f
question id
14/23
models correct
1
valid answer
61%
success rate
// reference answer

Human-validated correct answer for this question.

powershell
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "-EncodedCommand" or (strlen(ProcessCommandLine) > 500 and FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe"))
| distinct FileName
pass134.65s0.0204
gpt-35-turbo
no answer
no query generatedfail50.00s0.0109
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2335
gpt-4.1
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where strlen(ProcessCommandLine) > 300 
      or ProcessCommandLine matches regex @"[A-Za-z0-9]{30,}" 
      or ProcessCommandLine has_any ("Invoke", "Reflection", "Decode", "exec", "forEach", "Base64", "FromBase64String")
      or ProcessCommandLine matches regex @"[\^%$\+#\{\}\[\];\|]{8,}"
| summarize Count = count() by FileName, DeviceName
| top 20 by Count desc
pass211.22s0.0232
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0598
gpt-4.1-mini
powershell.exe
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
// look for typical patterns of obfuscation indicating dynamic code execution
| where ProcessCommandLine matches regex @"(base64|invoke-expression|iex|char\(|\[string\]|\+{2,}|\$[a-zA-Z0-9_]+\s*=|frombase64string)"
| summarize by InitiatingProcessFileName
| project InitiatingProcessFileName
pass15.75s0.0024
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
no answer
no query generatedfail50.00s0.0522
gpt-5-high
powershell.exe
let dynamic_tokens = @'(?i)\b(iex|invoke-expression|add-type|scriptblock\s*(?:::|\.)\s*create|(?:system\.)?reflection\.assembly\s*(?:::|\.)\s*load|frombase64string)\b';
let base64_or_obfuscated = @'(?i)(?:-enc(?:odedcommand)?\s+[A-Za-z0-9+/=]{40,}|[A-Za-z0-9+/=]{120,})';
let suspicious_concat = @'(?i)(["'']\s*\+\s*["''])';
let obf_repeat = @'[`^]{3,}';
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where isnotempty(ProcessCommandLine)
| extend cmd = tostring(ProcessCommandLine)
| extend len = strlen(cmd)
| extend alnum_len = strlen(replace_regex(cmd, @'[^A-Za-z0-9]', ''))
| extend non_ratio = iif(len == 0, 0.0, todouble(len - alnum_len) / todouble(len))
| extend has_dynamic = cmd matches regex dynamic_tokens
| extend has_b64 = cmd matches regex base64_or_obfuscated
| extend has_concat = cmd matches regex suspicious_concat
| extend has_obf_chars = cmd matches regex obf_repeat
| extend score = iif(has_dynamic,3,0) + iif(has_b64,3,0) + iif(has_concat,1,0) + iif(has_obf_chars,1,0) + iif(len > 250,1,0) + iif(non_ratio > 0.45,1,0)
| where score > 0
| summarize Events=count(), Devices=dcount(DeviceId), LatestTime=max(TimeGenerated), ExampleCommandLine=arg_max(score, cmd) by ProcessName=FileName
| order by Events desc, LatestTime desc
pass3262.07s0.1887
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0145
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0235
gpt-5-mini-medium
powershell.exe
union isfuzzy=true DeviceProcessEvents, DeviceEvents
| extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| where isnotempty(CmdLine)
// indicators of runtime code construction/obfuscation or dynamic invocation
| where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)"
| extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0]))
| summarize Occurrences = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ExecutingProcess
| where isnotempty(ExecutingProcess)
| order by Occurrences desc
| top 20 by Occurrences

// Also show recent raw samples for triage
| union (
    union isfuzzy=true DeviceProcessEvents, DeviceEvents
    | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
    | where isnotempty(CmdLine)
    | where CmdLine matches regex @"(?i)(\b(iex|invoke-expression|invokeexpression)\b|frombase64string|frombase64|\[char\]|-join\b|new-object\s+net\.webclient|downloadstring|invoke-webrequest|system\.reflection\.assembly::load|powershell\s+(-encodedcommand|\-e\b|/e\b)|certutil\s+-decode|mshta\b|cmd\.exe\s+/c|add-type|assembly\.load|reflection\.emit|dynamicmethod|createdelegate|ilgenerator|encodedcommand)"
    | extend ExecutingProcess = coalesce(FileName, InitiatingProcessFileName, tostring(split(trim('"', CmdLine), ' ')[0]))
    | project TimeGenerated, DeviceName, DeviceId, ProcessId, ExecutingProcess, CmdLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId, _ResourceId
    | order by TimeGenerated desc
    | take 200
)
pass472.91s0.0194
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0086
gpt-5-nano-medium
powershell.exe
let suspiciousPS = tolower("powershell");
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where tolower(ProcessCommandLine) contains "powershell" and (
    tolower(ProcessCommandLine) contains "encodedcommand" or
    tolower(ProcessCommandLine) contains "base64" or
    tolower(ProcessCommandLine) contains "iex" or
    tolower(ProcessCommandLine) contains "invoke-expression"
)
| project TimeGenerated, DeviceName, ExecutedProcessName = FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, PayloadCommandLine = ProcessCommandLine
| summarize Count = count() by ExecutedProcessName, InitiatingProcessFileName
| top 1 by Count desc
pass133.67s0.0025
grok-3-beta
powershell.exe
DeviceProcessEvents
| where ProcessCommandLine != ''
| where strlen(ProcessCommandLine) > 500 or ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains 'EncodedCommand'
| project FileName, ProcessCommandLine, DeviceName, ProcessCreationTime
| order by ProcessCreationTime desc
| take 50
pass219.27s0.0934
grok-3-mini-beta
powershell.exe
DeviceProcessEvents
| where ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "IEX"
| distinct FileName
pass114.46s0.0015
o1-high
powershell.exe
DeviceProcessEvents
| where ProcessCommandLine has_any ("iex", "FromBase64String", "System.Reflection")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine
| order by TimeGenerated desc
pass121.74s0.2122
o1-low
powershell.exe
DeviceProcessEvents
| where ActionType in~ ("CreateProcess", "ProcessCreated")
| where tolower(ProcessCommandLine) has_any ("encodedcommand", "reflection.emit", "invoke-expression", "frombase64string")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath, SHA256
| order by TimeGenerated desc
pass247.35s0.3583
o3-high
powershell.exe
// 1.  Look at process start events
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// 2.  Filter for command-lines that show signs of heavy obfuscation or run-time code generation
//     – long base64 blobs (-enc …) or FromBase64String()
//     – use of IEX / Invoke-Expression / Add-Type / Reflection
//     – very long command lines (>200 chars)
| extend cmd = tostring(ProcessCommandLine)
| where strlen(cmd) > 200 
       or cmd has "-enc" or cmd has "-encodedcommand" 
       or cmd has "FromBase64String" or cmd has "Invoke-Expression" or cmd has "IEX(" 
       or cmd has "Add-Type" or cmd has "System.Reflection" or cmd matches regex @"[A-Za-z0-9+/]{100,}="
// 3.  Return the process name(s) that executed that payload
| summarize ExampleCommandLine = any(cmd), Events = count() by FileName
| sort by Events desc
pass141.20s0.0468
o3-mini-high
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where strlen(InitiatingProcessCommandLine) > 200
| summarize Count = count() by ProcessName = InitiatingProcessFileName
| sort by Count desc
pass122.66s0.0167
o3-mini-low
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "IEX"
| summarize event_count=count() by ProcessName = FileName
| sort by event_count desc
pass169.53s0.0107
o4-mini-high
no answer
no query generatedfail50.00s0.0382
o4-mini-low
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Look for common obfuscation and dynamic code invocation patterns
| where ProcessCommandLine matches regex @"(?i)\b(IEX|Invoke-Expression|FromBase64String|Add-Type|Reflection|Assembly\.Load)\b"
| project TimeGenerated, DeviceName, ProcessName = FileName, ProcessCommandLine
| sort by TimeGenerated desc
| distinct ProcessName
pass130.60s0.0102