Question Analysis
An attacker has attempted to sideload code by invoking regsvr32.exe in a Windows host against a file that does not use the standard .dll extension. Investigate the process event logs to determine the name of the file that was registered.
1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
Question ID
10/16
Models Correct
1
Valid Answer
63%
Success Rate
Reference Answer
Human-validated correct answer for this question
shell32.jpg
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | shell32.jpg | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "regsvr32.exe"
| extend match = extract_all(@'regsvr32.*? (?:"(.*?)"|(\S+))', ProcessCommandLine)
| where array_length(match) > 0
| extend RegisteredFileName = coalesce(match[0][0], match[0][1])
| where isnotempty(RegisteredFileName)
| where not(RegisteredFileName endswith ".dll") and not(RegisteredFileName endswith ".ocx")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, RegisteredFileName, ReportId | Correct | 1 | 30.24s | 0.0189 |
| gpt-35-turbo | regsvr32.exe | DeviceProcessEvents | where FileName !endswith '.dll' | extend index = strcat(ProcessId, AccountName) | where ProcessCommandLine has 'regsvr32.exe' | summarize max(TimeGenerated) by index, FileName | Incorrect | 2 | 5.37s | 0.0048 |
| gpt-4-turbo-2024-04-09 | shell32.jpg | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'regsvr32.exe' or InitiatingProcessCommandLine has 'regsvr32.exe'
| extend fileExtension = tostring(split(FileName, '.')[1])
| where FileName !endswith '.dll'
| project DeviceName, FileName, InitiatingProcessCommandLine, TimeGenerated | Correct | 2 | 15.87s | 0.0979 |
| gpt-4.1 | shell32.jpg | DeviceProcessEvents
| where FileName =~ "regsvr32.exe"
| where not(ProcessCommandLine has ".dll")
| extend SideloadedFile = extract(@"regsvr32\.exe\s+([^\s]+)", 1, ProcessCommandLine)
| where isnotempty(SideloadedFile) and not(SideloadedFile endswith ".dll")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SideloadedFile | Correct | 3 | 19.47s | 0.0214 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0514 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0078 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0018 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0645 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0862 |
| grok-3-mini-beta | shell32.jpg | DeviceProcessEvents
| where FileName == 'regsvr32.exe'
| extend filePart = extract(@'[^\\]+$', 0, ProcessCommandLine) // Extract the last part of the command line, assuming it's the file name
| extend extension = tolower(extract(@'\.([^\.]+)$', 1, filePart)) // Extract and lowercase the file extension
| where extension != 'dll' and isnotnull(extension) // Filter for files not ending with .dll
| project FileName, ProcessCommandLine, filePart // Project relevant fields to show the file name | Correct | 1 | 16.73s | 0.0016 |
| o1-high | shell32.jpg | DeviceProcessEvents
| where FileName =~ "regsvr32.exe"
| where isnotempty(ProcessCommandLine)
| where not(ProcessCommandLine has ".dll")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine | Correct | 1 | 29.92s | 0.2244 |
| o1-low | shell32.jpg | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "regsvr32.exe"
| where not(tolower(ProcessCommandLine) has ".dll")
| project TimeGenerated, DeviceName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 28.36s | 0.2249 |
| o3-mini-high | shell32.jpg | DeviceProcessEvents
| where tolower(ProcessCommandLine) has "regsvr32.exe"
| where not(tolower(ProcessCommandLine) has ".dll")
| extend RegisteredFile = extract("regsvr32\\.exe\\s+(?:/[^\\s]+\\s+)*([^\\s]+)", 1, ProcessCommandLine)
| where isnotempty(RegisteredFile)
| project TimeGenerated, DeviceName, ProcessCommandLine, RegisteredFile | Correct | 3 | 41.48s | 0.0297 |
| o3-mini-low | shell32.jpg | DeviceProcessEvents
| where ProcessCommandLine contains "regsvr32.exe"
| extend SideloadedFile = extract("regsvr32\\.exe\\s+['\"]?([^'\"]+)", 1, ProcessCommandLine)
| where isnotempty(SideloadedFile) and tolower(SideloadedFile) !endswith ".dll"
| project TimeGenerated, DeviceName, ProcessCommandLine, SideloadedFile | Correct | 2 | 23.69s | 0.0217 |
| o4-mini-high | shell32.jpg | DeviceProcessEvents
| where tolower(FileName) == "regsvr32.exe"
| where isnotempty(ProcessCommandLine)
// Extract the arguments string after 'regsvr32.exe'
| parse ProcessCommandLine with * "regsvr32.exe" rest:string
// Split on spaces and take the first token as the target file
| extend args = split(rest, " ")
| extend RegisteredFile = trim('"', tostring(args[0]))
// Filter out switches (starting with '/') and standard .dll targets
| where RegisteredFile !startswith "/"
| where tolower(RegisteredFile) !endswith ".dll"
| project TimeGenerated, DeviceName, AccountName, RegisteredFile, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 5 | 157.74s | 0.0433 |
| o4-mini-low | shell32.jpg | DeviceProcessEvents
| where FileName == "regsvr32.exe"
// Extract the first non-switch argument (the target file)
| extend TargetFile = extract(@"(?:regsvr32(?:\.exe)?)(?:\s+/\w+)*\s+([^\s]+)", 1, ProcessCommandLine)
// Only include files that don’t end in .dll
| where isnotempty(TargetFile) and tolower(TargetFile) !endswith ".dll"
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine, TargetFile
| sort by TimeGenerated desc | Correct | 1 | 34.24s | 0.0084 |