An attacker on a Linux host has attempted to turn off command history by modifying an environment variable. Using process execution logs, determine the exact shell command used to set HISTSIZE to zero.
KQL answer reference and model-by-model benchmark comparison
386d3850-2ce7-4508-b56b-c0558922c814
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
export HISTSIZE=0
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine contains "HISTSIZE=0"
| project TimeGenerated, DeviceName, ProcessCommandLine, AccountName | Correct | 1 | 7.58s | 0.0031 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0108 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2212 |
| gpt-4.1 | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine has "HISTSIZE=0"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 5.59s | 0.0123 |
| gpt-4.1-finetuned | export HISTSIZE=0 | DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where ProcessCommandLine contains "HISTSIZE=0"
| Correct | 2 | 10.82s | 0.0330 |
| gpt-4.1-mini | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine has_cs "HISTSIZE=0"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc | Correct | 1 | 3.25s | 0.0024 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine has "HISTSIZE=0"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 2.99s | 0.0158 |
| gpt-5-high | export HISTSIZE=0 | let histAssign = @"(?i)\b(?:export\s+|declare\s+-x\s+)?HISTSIZE\s*=\s*0\b";
let linuxDevices = DeviceInfo
| where OSPlatform =~ "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where ActionType == "ProcessCreated"
| where (isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex histAssign)
or (isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex histAssign)
| extend ShellCommand = case(ProcessCommandLine matches regex histAssign, ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, FolderPath, ShellCommand, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId
| order by TimeGenerated desc | Correct | 1 | 123.34s | 0.0529 |
| gpt-5-mini-high | export HISTSIZE=0 | let pattern = "(?i)\\b(?:export\\s+HISTSIZE\\s*=\\s*0|HISTSIZE\\s*=\\s*0)\\b";
let linuxDevices = DeviceInfo
| where isnotempty(OSPlatform) and tolower(OSPlatform) contains "linux"
| distinct DeviceId;
let p_proc = DeviceProcessEvents
| where DeviceId in (linuxDevices)
| where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern
or isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex pattern
| extend FoundIn = case(isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern, "ProcessCommandLine", "InitiatingProcessCommandLine")
| project TimeGenerated, SourceTable = "DeviceProcessEvents", DeviceName, DeviceId, AccountName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, FoundIn, ReportId, SourceSystem;
let p_dev = DeviceEvents
| where DeviceId in (linuxDevices)
| where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern
or isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex pattern
| extend FoundIn = case(isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern, "ProcessCommandLine", "InitiatingProcessCommandLine")
| project TimeGenerated, SourceTable = "DeviceEvents", DeviceName, DeviceId, AccountName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, FoundIn, ReportId, SourceSystem;
let p_file = DeviceFileEvents
| where DeviceId in (linuxDevices)
| where isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex pattern
or isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex pattern
| extend FoundIn = "InitiatingProcessCommandLine"
| project TimeGenerated, SourceTable = "DeviceFileEvents", DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, ProcessId = InitiatingProcessId, InitiatingProcessId, ProcessCommandLine = InitiatingProcessCommandLine, InitiatingProcessCommandLine = InitiatingProcessCommandLine, FoundIn, ReportId, SourceSystem;
(p_proc
| union p_dev
| union p_file)
| sort by TimeGenerated desc
| distinct *
| take 200 | Correct | 1 | 28.21s | 0.0074 |
| gpt-5-mini-low | export HISTSIZE=0 | // Look for commands that set HISTSIZE to 0 in Linux shell process logs
let pattern = @"(?i)(?:\bexport\s+)?HISTSIZE\s*=\s*0\b|\benv\s+HISTSIZE\s*=\s*0\b|\bHISTSIZE\s+0\b";
let proc = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
// Identify likely shell processes by FileName or by shell mention in the command line
| where FileName in~ ("bash","sh","zsh","dash","ksh","/bin/bash","/bin/sh","/usr/bin/bash","/usr/bin/zsh")
or ProcessCommandLine matches regex @"(?i)\b(bash|sh|zsh|dash|ksh)\b"
| where ProcessCommandLine matches regex pattern
| extend matched = extract(pattern, 0, ProcessCommandLine)
| extend lower_cmd = tolower(ProcessCommandLine)
| extend hpos = indexof(lower_cmd, "histsize")
| extend start_idx = iif(hpos > 100, hpos - 100, 0)
| extend match_context = substring(ProcessCommandLine, start_idx, 300)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessCommandLine, matched, match_context;
let dev = DeviceEvents
| where isnotempty(ProcessCommandLine)
| where FileName in~ ("bash","sh","zsh","dash","ksh","/bin/bash","/bin/sh","/usr/bin/bash","/usr/bin/zsh")
or ProcessCommandLine matches regex @"(?i)\b(bash|sh|zsh|dash|ksh)\b"
| where ProcessCommandLine matches regex pattern
| extend matched = extract(pattern, 0, ProcessCommandLine)
| extend lower_cmd = tolower(ProcessCommandLine)
| extend hpos = indexof(lower_cmd, "histsize")
| extend start_idx = iif(hpos > 100, hpos - 100, 0)
| extend match_context = substring(ProcessCommandLine, start_idx, 300)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessCommandLine, matched, match_context;
proc
| union dev
| where isnotempty(matched) or ProcessCommandLine contains "HISTSIZE"
| order by TimeGenerated desc
| take 200
| project TimeGenerated, DeviceName, DeviceId, AccountDomain=AccountDomain, AccountName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessCommandLine, matched, match_context
| Correct | 3 | 44.10s | 0.0105 |
| gpt-5-mini-medium | sh -c "export HISTSIZE=0; whoami" | let pattern = @"(?i)(HISTSIZE\s*=\s*0)";
let pe = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern
| project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
let de = DeviceEvents
| where (isnotempty(ProcessCommandLine) and ProcessCommandLine matches regex pattern) or (isnotempty(InitiatingProcessCommandLine) and InitiatingProcessCommandLine matches regex pattern)
| project TimeGenerated, DeviceName, AccountName, ProcessId=ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName;
union pe, de
| extend ExactCommand = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend Matched = extract(pattern, 1, ExactCommand)
| where isnotempty(ExactCommand)
| project TimeGenerated, DeviceName, AccountName, ProcessId, InitiatingProcessFileName, ProcessCreationTime, ExactCommand, Matched
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 44.22s | 0.0092 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0107 |
| gpt-5-nano-medium | export HISTSIZE=0 | let histPattern = @"(?i)((?:\bHISTSIZE\s*=\s*0\b|export\s+HISTSIZE\s*=\s*0\b))";
DeviceProcessEvents
| where ProcessCommandLine matches regex histPattern or InitiatingProcessCommandLine matches regex histPattern
| extend HistFromProc = extract(histPattern, 1, ProcessCommandLine)
| extend HistFromInit = extract(histPattern, 1, InitiatingProcessCommandLine)
| extend MatchedLine = iif(isnotempty(HistFromInit), HistFromInit, HistFromProc)
| where isnotempty(MatchedLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, MatchedLine, ProcessCommandLine, InitiatingProcessCommandLine
| sort by TimeGenerated desc
| take 100 | Correct | 5 | 165.46s | 0.0080 |
| grok-3-beta | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine contains 'HISTSIZE=0'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath
| order by Timestamp desc | Correct | 1 | 7.36s | 0.0224 |
| grok-3-mini-beta | export HISTSIZE=0; | DeviceProcessEvents
| where ProcessCommandLine contains 'HISTSIZE=0'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 12.65s | 0.0017 |
| o1-high | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine has_any("export HISTSIZE=0", "HISTSIZE=0")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 40.12s | 0.3144 |
| o1-low | export HISTSIZE=0 | DeviceProcessEvents
| join kind=inner (DeviceInfo | where OSPlatform == "Linux") on DeviceId
| where ProcessCommandLine has "HISTSIZE=0"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, FolderPath
| order by TimeGenerated desc | Correct | 1 | 45.66s | 0.3424 |
| o3-high | export HISTSIZE=0 | let timerange = 1d; // the portal will overwrite this
let StartTime = ago(timerange);
let EndTime = now();
// --- identify Linux devices ---
let LinuxDevices = DeviceInfo
| where TimeGenerated between (StartTime .. EndTime)
| where OSPlatform =~ "Linux"
| project DeviceId, DeviceName;
// --- find processes that disable history ---
DeviceProcessEvents
| where TimeGenerated between (StartTime .. EndTime)
| where ActionType =~ "ProcessCreated"
| join kind = inner (LinuxDevices) on DeviceId
// match HISTSIZE = 0 (case-insensitive, allow whitespace)
| where ProcessCommandLine matches regex @"(?i)\bHISTSIZE\s*=\s*0\b"
// keep the most useful context
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessId,
ProcessCommandLine,
InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 57.60s | 0.0344 |
| o3-mini-high | export | DeviceProcessEvents
| where ProcessCommandLine contains "HISTSIZE=0"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 14.93s | 0.0118 |
| o3-mini-low | export HISTSIZE=0 | DeviceProcessEvents
| where ProcessCommandLine contains "HISTSIZE=0"
| project TimeGenerated, DeviceName, ProcessCommandLine | Correct | 1 | 92.77s | 0.0131 |
| o4-mini-high | export HISTSIZE=0 | DeviceProcessEvents
// Filter for HISTSIZE assignments of zero, optionally preceded by 'export'
| where ProcessCommandLine matches regex @"\b(?:export\s+)?HISTSIZE\s*=\s*0\b"
// Restrict to Linux devices
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId
) on DeviceId
// Select and rename fields of interest
| project Timestamp = TimeGenerated,
DeviceName,
AccountName,
ProcessCommandLine,
ProcessId
// Sort chronologically
| sort by Timestamp asc | Correct | 4 | 154.36s | 0.0335 |
| o4-mini-low | export HISTSIZE=0 | DeviceProcessEvents
// (The time filter is applied by the calling context)
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId
) on DeviceId
| where ProcessCommandLine matches regex @"(?i)\b(export\s+)?HISTSIZE\s*=\s*0\b"
| project TimeGenerated=Timestamp, DeviceName, AccountName, CommandLine=ProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 111.05s | 0.0219 |