Question Analysis
An alert has surfaced on a Linux host indicating a potentially malicious recursive delete operation. Investigate process events to find out which directory name was completely removed.
a415f17e-ce8d-4ce2-a8b4-83b674e7017e
Question ID
0/16
Models Correct
1
Valid Answer
0%
Success Rate
Reference Answer
Human-validated correct answer for this question
victim-folder
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | /tmp/atomic-test-T1036.006 | DeviceFileEvents
| where ActionType == "FileDeleted"
| summarize CountOfDeletedFiles = count() by DeviceName, FolderPath, InitiatingProcessCommandLine
| order by CountOfDeletedFiles desc | Incorrect | 1 | 12.25s | 0.0059 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0107 |
| gpt-4-turbo-2024-04-09 | /tmp/victim-files | DeviceProcessEvents
| where FileName contains 'bash' or FileName contains 'sh'
| where ProcessCommandLine contains 'rm' and ProcessCommandLine contains '-rf'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath | Incorrect | 1 | 12.30s | 0.0841 |
| gpt-4.1 | /var/spool/mail/copy; | DeviceProcessEvents
| where ProcessCommandLine has 'rm' and ProcessCommandLine has '-rf'
| extend regex = @'rm\s+-rf\s+([^\s]+)'
| extend RemovedDirectory = extract(regex, 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| summarize DeleteCount=count(), MinTime=min(TimeGenerated), MaxTime=max(TimeGenerated) by DeviceName, RemovedDirectory
| sort by DeleteCount desc, MaxTime desc | Incorrect | 1 | 16.00s | 0.0141 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0480 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0075 |
| gpt-4.1-nano | /var/spool/mail/copy; | DeviceProcessEvents
| where ProcessCommandLine has_any ('rm -rf', 'rm -r')
| extend DeletedDirectory = extract(@'rm -rf? \*?(\/[^\s]+)', 1, ProcessCommandLine)
| where isnotempty(DeletedDirectory)
| summarize Count = count() by DeletedDirectory
| order by Count desc
| take 10 | Incorrect | 5 | 25.08s | 0.0013 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0629 |
| grok-3-beta | /tmp/art-staging | DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessCommandLine has 'rm'
| where ProcessCommandLine matches regex @'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)[^\s]*'
| join kind=leftouter DeviceInfo on DeviceId
| where OSPlatform contains 'Linux'
| extend TargetDirectory = extract(@'rm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+|--recursive\s+)([^\s]+)', 2, ProcessCommandLine)
| where isnotempty(TargetDirectory)
| project Timestamp, DeviceName, ProcessCommandLine, TargetDirectory, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
| limit 50 | Incorrect | 5 | 40.78s | 0.1078 |
| grok-3-mini-beta | /usr/bin | let linuxDevices = DeviceInfo | where OSPlatform == 'Linux' | distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ProcessCommandLine has "rm" and (ProcessCommandLine has "-r" or ProcessCommandLine has "-rf")
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine
| order by Timestamp desc
| summarize RemovedDirectories = make_set(FolderPath) by DeviceName | Incorrect | 2 | 26.82s | 0.0030 |
| o1-high | art-staging | DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId, DeviceName
| join kind=inner (
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any ("rm", "-r", "--recursive")
// Attempt to extract the directory following an "rm -r" or "rm --recursive" pattern
| extend RemovedDirectory = extract(@"(?:rm\s+.*-r\S*\s+)([^\s]+)", 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| project TimeGenerated, DeviceId, ProcessCommandLine, RemovedDirectory
) on DeviceId
| project TimeGenerated, DeviceName, RemovedDirectory, ProcessCommandLine
| order by TimeGenerated desc | Incorrect | 1 | 63.08s | 0.4722 |
| o1-low | /tmp/atomic-test-T1036.006 | DeviceInfo
| where OSPlatform == "Linux"
| join kind=inner (
DeviceFileEvents
| where ActionType contains "Delete"
| where InitiatingProcessCommandLine has_any ("rm -r", "rm -rf")
) on DeviceId
| project TimeGenerated, DeviceName, ActionType, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc | Incorrect | 3 | 97.89s | 0.6721 |
| o3-mini-high | art-staging | DeviceProcessEvents
| where ProcessCommandLine has "rm -rf"
| extend RemovedDirectory = extract(@"rm\s+-rf\s+(\S+)", 1, ProcessCommandLine)
| where isnotempty(RemovedDirectory)
| project TimeGenerated, DeviceName, ProcessCommandLine, RemovedDirectory
| order by TimeGenerated desc | Incorrect | 1 | 36.15s | 0.0215 |
| o3-mini-low | art-staging | DeviceProcessEvents
| where InitiatingProcessCommandLine has "rm" and InitiatingProcessCommandLine has "-rf"
| extend RemovedDir = extract(@"rm\s+-rf\s+(\S+)", 1, InitiatingProcessCommandLine)
| where isnotempty(RemovedDir)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, RemovedDir, FolderPath
| order by TimeGenerated desc | Incorrect | 1 | 28.43s | 0.0193 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0489 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0388 |