Question Analysis
An analyst suspects that a restricted shell escape was executed using a common Perl package manager on Linux. Review the process execution records to determine which tool was invoked to spawn the shell.
bcd4c2bc-490b-4f91-bd31-3709fe75bbdf
Question ID
5/16
Models Correct
1
Valid Answer
31%
Success Rate
Reference Answer
Human-validated correct answer for this question
cpan
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0163 |
| gpt-35-turbo | Perl | DeviceProcessEvents
| where tolower(FolderPath) contains "perl"
| where FileName in~ ("cpanm","perlbrew","perl-build","carton","cpan","plenv","ack","perl")
| project ProcessId, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime | Incorrect | 2 | 11.25s | 0.0060 |
| gpt-4-turbo-2024-04-09 | cpan | DeviceProcessEvents
| where (InitiatingProcessFileName has_any ('cpan','cpanm') or InitiatingProcessCommandLine contains 'cpan' or InitiatingProcessCommandLine contains 'cpanm')
| where ProcessCommandLine has_any ('sh', 'bash', 'zsh')
| project DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, TimeGenerated | Correct | 2 | 17.71s | 0.0996 |
| gpt-4.1 | dash | DeviceProcessEvents
| where InitiatingProcessFileName has_any ('cpan', 'cpanm', 'cpanp') or InitiatingProcessCommandLine has_any ('cpan', 'cpanm', 'cpanp')
| where FileName has_any ('sh', 'bash', 'dash', 'zsh', 'ksh')
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName, FolderPath, InitiatingProcessFolderPath | Incorrect | 3 | 16.30s | 0.0333 |
| gpt-4.1-finetuned | /bin/sh | DeviceProcessEvents
| where InitiatingProcessCommandLine contains ".sh"
| summarize processCommandLineCount=count() by InitiatingProcessCommandLine, DeviceName, AccountName
| extend timestamp = now()
| sort by processCommandLineCount desc
| extend AccountName = tostring(split(AccountName, "@")[0]), DnsDomain = tostring(split(AccountName, "@")[1])
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, "."))
| extend DNSDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
// Please uncomment below to filter the results based on a specific domain/hostname
// | where DNSDomain in ("<your domain/host to be filtered>") or HostName in ("<your domain/host to be filtered>")
// Please uncomment below to filter the results based on a specific account name
// | where AccountName in ("<your account to be filtered>")
| Incorrect | 1 | 21.02s | 0.0866 |
| gpt-4.1-mini | cpan | DeviceProcessEvents
| where FileName in ("cpan", "cpanm") or ProcessCommandLine has_any ("cpan", "cpanm")
| where InitiatingProcessFileName in ("sh", "bash", "/bin/sh", "/bin/bash") or InitiatingProcessCommandLine has_any ("sh", "bash", "/bin/sh", "/bin/bash")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 33.25s | 0.0044 |
| gpt-4.1-nano | perl | DeviceProcessEvents
| where ProcessCommandLine contains 'perl' or ProcessCommandLine contains '/bin/sh' or ProcessCommandLine contains 'bash'
| where ProcessCommandLine matches regex '(?i)escape|restricted|shell|perl'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessParentCreationTime
| order by TimeGenerated desc | Incorrect | 1 | 3.20s | 0.0018 |
| gpt-4o | dash | DeviceProcessEvents
| where InitiatingProcessFileName =~ "perl" or InitiatingProcessFileName =~ "cpan"
| where FileName has_any ("bash", "sh", "shell") or ProcessCommandLine has_any ("bash", "sh", "shell")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine | Incorrect | 1 | 5.70s | 0.0153 |
| grok-3-beta | dash | DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (ProcessCommandLine contains 'perl' or ProcessCommandLine contains 'cpan')
| where (ProcessCommandLine contains 'sh' or ProcessCommandLine contains 'bash' or ProcessCommandLine contains 'shell')
| join kind=inner (
DeviceInfo
| where OSPlatform == 'Linux'
) on DeviceId
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, ProcessCreationTime, DeviceId
| order by ProcessCreationTime desc
| limit 50 | Incorrect | 2 | 31.17s | 0.0644 |
| grok-3-mini-beta | perl | DeviceProcessEvents
| where FolderPath startswith "/"
| where InitiatingProcessFileName has_any ("perl", "cpan", "cpanm")
| where ProcessCommandLine has_any ("/bin/sh", "system", "exec", "shell")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, ProcessId
| order by TimeGenerated desc | Incorrect | 4 | 38.34s | 0.0059 |
| o1-high | cpan | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where InitiatingProcessCommandLine has_any ("perl", "cpan", "cpanm")
| where FileName in~ ("sh", "bash", "zsh", "ksh", "dash")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 32.64s | 0.2901 |
| o1-low | cpan | DeviceProcessEvents
| where FileName in~ ("sh", "bash", "dash", "zsh", "csh", "ksh")
// Identify newly created shell-like processes
| where InitiatingProcessFileName in~ ("cpan", "cpanm", "perl") or InitiatingProcessCommandLine has_any ("cpan", "cpanm")
// Filter for shells spawned by cpan, cpanm, or perl
| project TimeGenerated, DeviceName, FolderPath, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, AccountName
| order by TimeGenerated desc
| Correct | 1 | 39.89s | 0.2824 |
| o3-mini-high | dash | DeviceProcessEvents
| where (tolower(InitiatingProcessFileName) has_any ("cpan", "cpanm") or tolower(InitiatingProcessCommandLine) has_any ("cpan", "cpanm"))
| where (tolower(FileName) has_any ("/bin/bash", "/bin/sh") or tolower(ProcessCommandLine) has_any ("/bin/bash", "/bin/sh", "bash", "sh"))
| project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Incorrect | 4 | 65.08s | 0.0374 |
| o3-mini-low | cpan | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "cpan"
| where ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessCreationTime, ProcessId, InitiatingProcessId
| order by TimeGenerated desc | Correct | 2 | 35.41s | 0.0187 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0434 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0485 |