Question Analysis
An alert has surfaced on a Linux host indicating a potentially malicious recursive delete operation. Investigate process events to find out which directory name was completely removed.
a415f17e-ce8d-4ce2-a8b4-83b674e7017e
Question ID
0/23
Models Correct
1
Valid Answer
0%
Success Rate
Reference Answer
Human-validated correct answer for this question
victim-folder
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | /tmp/atomic-test-T1036.006 | DeviceFileEvents
| where ActionType == "FileDeleted"
| summarize CountOfDeletedFiles = count() by DeviceName, FolderPath, InitiatingProcessCommandLine
| order by CountOfDeletedFiles desc | Incorrect | 1 | 12.25s | 0.0059 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0107 |
| gpt-4-turbo-2024-04-09 | /tmp/victim-files | DeviceProcessEvents
| where FileName contains 'bash' or FileName contains 'sh'
| where ProcessCommandLine contains 'rm' and ProcessCommandLine contains '-rf'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath | Incorrect | 1 | 12.30s | 0.0841 |
| gpt-4.1 | /var/spool/mail/copy; | DeviceProcessEvents
| where ProcessCommandLine has 'rm' and ProcessCommandLine has '-rf'
| extend regex = @'rm\s+-rf\s+([^\s]+)'
| extend RemovedDirectory = extract(regex, 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| summarize DeleteCount=count(), MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated) by DeviceName, RemovedDirectory
| sort by DeleteCount desc, MaxTime desc | Incorrect | 1 | 16.00s | 0.0141 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0480 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0075 |
| gpt-4.1-nano | /var/spool/mail/copy; | DeviceProcessEvents
| where ProcessCommandLine has_any ('rm -rf', 'rm -r')
| extend DeletedDirectory = extract(@'rm -rf? \*?(\/[^\s]+)', 1, ProcessCommandLine)
| where isnotempty(DeletedDirectory)
| summarize Count = count() by DeletedDirectory
| order by Count desc
| take 10 | Incorrect | 5 | 25.08s | 0.0013 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0629 |
| gpt-5-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.3208 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0313 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0200 |
| gpt-5-mini-medium | art-staging | DeviceProcessEvents
| where ActionType has_any ("FileDeleted", "Delete", "Removed", "WriteFile", "RemovedDirectory", "DeleteFile", "FileDelete") or ProcessCommandLine has_any ("rm -rf", "rm -r", "unlink", "rmdir")
| where isnotempty(FolderPath) or isnotempty(FileName)
| extend FullPath = strcat(FolderPath, iff(FolderPath endswith "/", "", "/"), coalesce(FileName, ""))
// Identify candidate events which look like directory deletion: FileName empty or '.' or action mentioning directory
| extend IsDirDelete = iff(FileName == "" or FileName == "." or ActionType has "Directory" or ActionType has "Folder" or FolderPath endswith "/" and (ProcessCommandLine has "rm -rf" or ProcessCommandLine has "rm -r"), 1, 0)
| where IsDirDelete == 1 or ProcessCommandLine has "rm -rf"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessId, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, FolderPath, FileName, FullPath
| summarize Events = count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by RemovedDirectory=coalesce(FullPath, FolderPath), DeviceName, InitiatingProcessAccountName, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by LastSeen desc
| limit 50 | Incorrect | 1 | 19.07s | 0.0061 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0075 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0085 |
| grok-3-beta | /tmp/art-staging | DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has 'rm'
| where ProcessCommandLine matches regex @'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)[^\s]*'
| join kind=leftouter DeviceInfo on DeviceId
| where OSPlatform contains 'Linux'
| extend TargetDirectory = extract(@'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)([^\s]+)', 2, ProcessCommandLine)
| where isnotempty(TargetDirectory)
| project Timestamp, DeviceName, ProcessCommandLine, TargetDirectory, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
| limit 50 | Incorrect | 5 | 40.78s | 0.1078 |
| grok-3-mini-beta | /usr/bin | let linuxDevices = DeviceInfo | where OSPlatform == 'Linux' | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine has "rm" and (ProcessCommandLine has "-r" or ProcessCommandLine has "-rf")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine
| order by Timestamp desc
| summarize RemovedDirectories = make_set(FolderPath) by DeviceName | Incorrect | 2 | 26.82s | 0.0030 |
| o1-high | art-staging | DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId, DeviceName
| join kind=inner (
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any ("rm", "-r", "--recursive")
// Attempt to extract the directory following an "rm -r" or "rm --recursive" pattern
| extend RemovedDirectory = extract(@"(?:rm\s+.*-r\S*\s+)([^\s]+)", 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| project TimeGenerated, DeviceId, ProcessCommandLine, RemovedDirectory
) on DeviceId
| project TimeGenerated, DeviceName, RemovedDirectory, ProcessCommandLine
| order by TimeGenerated desc | Incorrect | 1 | 63.08s | 0.4722 |
| o1-low | /tmp/atomic-test-T1036.006 | DeviceInfo
| where OSPlatform == "Linux"
| join kind=inner (
DeviceFileEvents
| where ActionType contains "Delete"
| where InitiatingProcessCommandLine has_any ("rm -r", "rm -rf")
) on DeviceId
| project TimeGenerated, DeviceName, ActionType, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc | Incorrect | 3 | 97.89s | 0.6721 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1308 |
| o3-mini-high | art-staging | DeviceProcessEvents
| where ProcessCommandLine has "rm -rf"
| extend RemovedDirectory = extract(@"rm\s+-rf\s+(\S+)", 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| project TimeGenerated, DeviceName, ProcessCommandLine, RemovedDirectory
| order by TimeGenerated desc | Incorrect | 1 | 36.15s | 0.0215 |
| o3-mini-low | art-staging | DeviceProcessEvents
| where InitiatingProcessCommandLine has "rm" and InitiatingProcessCommandLine has "-rf"
| extend RemovedDir = extract(@"rm\s+-rf\s+(\S+)", 1, InitiatingProcessCommandLine)
| where isnotempty(RemovedDir)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RemovedDir, FolderPath
| order by TimeGenerated desc | Incorrect | 1 | 28.43s | 0.0193 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0489 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0388 |