// question
An attacker has attempted to sideload code by invoking regsvr32.exe in a Windows host against a file that does not use the standard .dll extension. Investigate the process event logs to determine the name of the file that was registered.
Reference KQL answer and model-by-model comparison.
1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
question id
10/23
models correct
1
valid answer
43%
success rate
// reference answer
Human-validated correct answer for this question.
shell32.jpg
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | shell32.jpg | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName == "regsvr32.exe" | extend match = extract_all(@'regsvr32.*? (?:"(.*?)"|(\S+))', ProcessCommandLine) | where array_length(match) > 0 | extend RegisteredFileName = coalesce(match[0][0], match[0][1]) | where isnotempty(RegisteredFileName) | where not(RegisteredFileName endswith ".dll") and not(RegisteredFileName endswith ".ocx") | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, RegisteredFileName, ReportId | pass | 1 | 30.24s | 0.0189 |
| gpt-35-turbo | regsvr32.exe | DeviceProcessEvents | where FileName !endswith '.dll' | extend index = strcat(ProcessId, AccountName) | where ProcessCommandLine has 'regsvr32.exe' | summarize max(TimeGenerated) by index, FileName | fail | 2 | 5.37s | 0.0048 |
| gpt-4-turbo-2024-04-09 | shell32.jpg | DeviceProcessEvents | where InitiatingProcessFileName =~ 'regsvr32.exe' or InitiatingProcessCommandLine has 'regsvr32.exe' | extend fileExtension = tostring(split(FileName, '.')[1]) | where FileName !endswith '.dll' | project DeviceName, FileName, InitiatingProcessCommandLine, TimeGenerated | pass | 2 | 15.87s | 0.0979 |
| gpt-4.1 | shell32.jpg | DeviceProcessEvents | where FileName =~ "regsvr32.exe" | where not(ProcessCommandLine has ".dll") | extend SideloadedFile = extract(@"regsvr32\.exe\s+([^\s]+)", 1, ProcessCommandLine) | where isnotempty(SideloadedFile) and not(SideloadedFile endswith ".dll") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SideloadedFile | pass | 3 | 19.47s | 0.0214 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0514 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0078 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0018 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0645 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.3539 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0251 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0162 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0192 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0107 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0110 |
| grok-3-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0862 |
| grok-3-mini-beta | shell32.jpg | DeviceProcessEvents | where FileName == 'regsvr32.exe' | extend filePart = extract(@'[^\\]+$', 0, ProcessCommandLine) // Extract the last part of the command line, assuming it's the file name | extend extension = tolower(extract(@'\.([^\.]+)$', 1, filePart)) // Extract and lowercase the file extension | where extension != 'dll' and isnotnull(extension) // Filter for files not ending with .dll | project FileName, ProcessCommandLine, filePart // Project relevant fields to show the file name | pass | 1 | 16.73s | 0.0016 |
| o1-high | shell32.jpg | DeviceProcessEvents | where FileName =~ "regsvr32.exe" | where isnotempty(ProcessCommandLine) | where not(ProcessCommandLine has ".dll") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | pass | 1 | 29.92s | 0.2244 |
| o1-low | shell32.jpg | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "regsvr32.exe" | where not(tolower(ProcessCommandLine) has ".dll") | project TimeGenerated, DeviceName, ProcessCommandLine, FolderPath, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 28.36s | 0.2249 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.0989 |
| o3-mini-high | shell32.jpg | DeviceProcessEvents
| where tolower(ProcessCommandLine) has "regsvr32.exe"
| where not(tolower(ProcessCommandLine) has ".dll")
| extend RegisteredFile = extract("regsvr32\\.exe\\s+(?:/[^\\s]+\\s+)*([^\\s]+)", 1, ProcessCommandLine)
| where isnotempty(RegisteredFile)
| project TimeGenerated, DeviceName, ProcessCommandLine, RegisteredFile | pass | 3 | 41.48s | 0.0297 |
| o3-mini-low | shell32.jpg | DeviceProcessEvents
| where ProcessCommandLine contains "regsvr32.exe"
| extend SideloadedFile = extract("regsvr32\\.exe\\s+['\"]?([^'\"]+)", 1, ProcessCommandLine)
| where isnotempty(SideloadedFile) and tolower(SideloadedFile) !endswith ".dll"
| project TimeGenerated, DeviceName, ProcessCommandLine, SideloadedFile | pass | 2 | 23.69s | 0.0217 |
| o4-mini-high | shell32.jpg | DeviceProcessEvents
| where tolower(FileName) == "regsvr32.exe"
| where isnotempty(ProcessCommandLine)
// Extract the arguments string after 'regsvr32.exe'
| parse ProcessCommandLine with * "regsvr32.exe" rest:string
// Split on spaces and take the first token as the target file
| extend args = split(rest, " ")
| extend RegisteredFile = trim('"', tostring(args[0]))
// Filter out switches (starting with '/') and standard .dll targets
| where RegisteredFile !startswith "/"
| where tolower(RegisteredFile) !endswith ".dll"
| project TimeGenerated, DeviceName, AccountName, RegisteredFile, ProcessCommandLine
| sort by TimeGenerated desc | pass | 5 | 157.74s | 0.0433 |
| o4-mini-low | shell32.jpg | DeviceProcessEvents | where FileName == "regsvr32.exe" // Extract the first non-switch argument (the target file) | extend TargetFile = extract(@"(?:regsvr32(?:\.exe)?)(?:\s+/\w+)*\s+([^\s]+)", 1, ProcessCommandLine) // Only include files that don’t end in .dll | where isnotempty(TargetFile) and tolower(TargetFile) !endswith ".dll" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine, TargetFile | sort by TimeGenerated desc | pass | 1 | 34.24s | 0.0084 |