Question Analysis
A Windows host shows a process launch with an extremely obfuscated command line that dynamically builds and invokes code at runtime. Which process name was used to execute this payload?
8b3f4ed6-077b-4bdd-891c-2d237f19410f
Question ID
10/16
Models Correct
1
Valid Answer
63%
Success Rate
Reference Answer
Human-validated correct answer for this question
powershell
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "-EncodedCommand" or (strlen(ProcessCommandLine) > 500 and FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe"))
| distinct FileName | Correct | 1 | 34.65s | 0.0204 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2335 |
| gpt-4.1 | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where strlen(ProcessCommandLine) > 300
or ProcessCommandLine matches regex @"[A-Za-z0-9]{30,}"
or ProcessCommandLine has_any ("Invoke", "Reflection", "Decode", "exec", "forEach", "Base64", "FromBase64String")
or ProcessCommandLine matches regex @"[\^%$\+#\{\}\[\];\|]{8,}"
| summarize Count = count() by FileName, DeviceName
| top 20 by Count desc | Correct | 2 | 11.22s | 0.0232 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0598 |
| gpt-4.1-mini | powershell.exe | DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
// look for typical patterns of obfuscation indicating dynamic code execution
| where ProcessCommandLine matches regex @"(base64|invoke-expression|iex|char\(|\[string\]|\+{2,}|\$[a-zA-Z0-9_]+\s*=|frombase64string)"
| summarize by InitiatingProcessFileName
| project InitiatingProcessFileName | Correct | 1 | 5.75s | 0.0024 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0522 |
| grok-3-beta | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine != ''
| where strlen(ProcessCommandLine) > 500 or ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains 'EncodedCommand'
| project FileName, ProcessCommandLine, DeviceName, ProcessCreationTime
| order by ProcessCreationTime desc
| take 50 | Correct | 2 | 19.27s | 0.0934 |
| grok-3-mini-beta | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "IEX"
| distinct FileName | Correct | 1 | 14.46s | 0.0015 |
| o1-high | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine has_any ("iex", "FromBase64String", "System.Reflection")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 21.74s | 0.2122 |
| o1-low | powershell.exe | DeviceProcessEvents
| where ActionType in~ ("CreateProcess", "ProcessCreated")
| where tolower(ProcessCommandLine) has_any ("encodedcommand", "reflection.emit", "invoke-expression", "frombase64string")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath, SHA256
| order by TimeGenerated desc | Correct | 2 | 47.35s | 0.3583 |
| o3-mini-high | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where strlen(InitiatingProcessCommandLine) > 200
| summarize Count = count() by ProcessName = InitiatingProcessFileName
| sort by Count desc | Correct | 1 | 22.66s | 0.0167 |
| o3-mini-low | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "IEX"
| summarize event_count=count() by ProcessName = FileName
| sort by event_count desc | Correct | 1 | 69.53s | 0.0107 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0382 |
| o4-mini-low | powershell.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Look for common obfuscation and dynamic code invocation patterns
| where ProcessCommandLine matches regex @"(?i)\b(IEX|Invoke-Expression|FromBase64String|Add-Type|Reflection|Assembly\.Load)\b"
| project TimeGenerated, DeviceName, ProcessName = FileName, ProcessCommandLine
| sort by TimeGenerated desc
| distinct ProcessName | Correct | 1 | 30.60s | 0.0102 |