Question Analysis
An endpoint shows a PowerShell process that downloaded and executed a remote script aimed at extracting credentials from the Windows Credential Manager. Review the process creation logs and identify the function name that was invoked to dump the web credentials.
8fd5a296-6772-4766-9991-ff4e92af7240
Question ID
2/16
Models Correct
1
Valid Answer
13%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-CredManCreds
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Invoke-Inveigh | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("iex", "downloadstring", "iwr", "webclient")
| where ProcessCommandLine has_any ("webcredentials", "vaultcmd", "CredentialManager", "VaultCli", "dpapi", "sekurlsa", "::")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | Incorrect | 3 | 75.47s | 0.0367 |
| gpt-35-turbo | Invoke-WebRequest | DeviceProcessEvents
| where ProcessCommandLine contains 'powershell'
| where ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'Invoke-RestMethod'
| project ProcessCommandLine | Incorrect | 1 | 2.85s | 0.0027 |
| gpt-4-turbo-2024-04-09 | $host.UI.PromptForCredential | DeviceProcessEvents
| where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe'
| where ProcessCommandLine has_any('DownloadString', 'WebRequest', 'Invoke-WebRequest', 'Invoke-Expression', 'Net.WebClient', 'IEX', 'Invoke')
| where ProcessCommandLine has_any('credentials', 'password', 'secret', 'dump')
| project DeviceName, AccountName, ProcessCommandLine, TimeGenerated, FileName, FolderPath
| summarize CommandLines = make_set(ProcessCommandLine) by DeviceName, FileName | Incorrect | 4 | 30.84s | 0.1945 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0517 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0496 |
| gpt-4.1-mini | Invoke-WebRequest | DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains_cs "CredentialManager" or ProcessCommandLine contains_cs "WebCredentials" or ProcessCommandLine contains_cs "dump" or ProcessCommandLine contains_cs "Invoke-WebRequest"
or InitiatingProcessCommandLine contains_cs "CredentialManager" or InitiatingProcessCommandLine contains_cs "WebCredentials" or InitiatingProcessCommandLine contains_cs "dump" or InitiatingProcessCommandLine contains_cs "Invoke-WebRequest"
| project ProcessCreationTime, DeviceName, ProcessId, InitiatingProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DumpFunction= extract(@"(Get-WebCredentials|Dump-Credentials|Invoke-WebRequest|Invoke-CredentialDump|Get-Credential|Dump-WebCredentials)" , 1, ProcessCommandLine)
| where isnotempty(DumpFunction)
| order by ProcessCreationTime desc | Incorrect | 1 | 24.06s | 0.0030 |
| gpt-4.1-nano | wificreds | DeviceProcessEvents
| where TimeGenerated >= ago(7d) // Adjust time range as necessary
| where FileName in ('powershell.exe', 'pwsh.exe') // Focus on PowerShell processes
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'Invoke-RestMethod', 'DownloadString', 'Invoke-Expression') // Commands indicating script download or execution
| project ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, DeviceName, InitiatingProcessParentFileName, InitiatingProcessParentId
| order by InitiatingProcessCreationTime desc | Incorrect | 4 | 8.57s | 0.0018 |
| gpt-4o | Get-CredManCreds | DeviceProcessEvents
| where FileName endswith "powershell.exe" and ProcessCommandLine contains "http" and ProcessCommandLine has_any("Credential", "Dump")
| where ActionType == "ProcessCreated"
| extend InvokedFunctionName = tostring(parse_json(AdditionalFields).FunctionName)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, InvokedFunctionName
| order by TimeGenerated desc | Correct | 4 | 24.29s | 0.0376 |
| grok-3-beta | Get-CredManCreds | let TimeRange = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeRange
| where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe"
| where ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Expression"
| join kind=leftouter (
DeviceNetworkEvents
| where Timestamp >= TimeRange
| where RemoteUrl != ""
| summarize FirstRemoteUrl = min(RemoteUrl) by DeviceId, InitiatingProcessId, Timestamp
) on DeviceId, InitiatingProcessId
| where ProcessCommandLine matches regex @"(?i)(credential|password|dump|extract|get|vault|credman)"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, RemoteUrl=FirstRemoteUrl, ProcessId, InitiatingProcessId
| order by Timestamp desc | Correct | 2 | 20.97s | 0.0452 |
| grok-3-mini-beta | Get-PasswordVaultCredentials | DeviceProcessEvents
| where FileName has "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "downloadstring", "credential", "CredEnumerate")
| project TimeGenerated, DeviceName, ProcessCommandLine, ProcessId
| order by TimeGenerated desc | Incorrect | 1 | 17.26s | 0.0023 |
| o1-high | Get-PasswordVaultCredentials | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FileName) has "powershell"
| where tolower(ProcessCommandLine) has_any ("download", "iwr", "wget", "curl", "invoke-webrequest", "system.net.webclient", "invoke-expression", "iex", "new-object net.webclient", "invoke-restmethod")
| where tolower(ProcessCommandLine) contains "vault" or tolower(ProcessCommandLine) contains "cred"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Incorrect | 4 | 130.91s | 0.9809 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.9557 |
| o3-mini-high | Minidump | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("http", "https")
// Extract any function name containing 'Dump' (case-insensitive)
| extend DumpFunction = extract("(?i)([A-Za-z0-9_]+Dump[A-Za-z0-9_]*)", 1, ProcessCommandLine)
| where isnotempty(DumpFunction)
| project TimeGenerated, DeviceName, ProcessCommandLine, DumpFunction | Incorrect | 2 | 30.83s | 0.0204 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0423 |
| o4-mini-high | Seatbelt | DeviceProcessEvents
| where FileName == "powershell.exe"
// Only include runs that reference a .ps1 script (likely downloaded)
| where ProcessCommandLine contains ".ps1"
// Look for any Invoke- function call in the parameters
| where ProcessCommandLine matches regex @"Invoke-[A-Za-z0-9_]+"
// Extract the function name invoked to dump credentials
| extend FunctionName = extract(@"Invoke-([A-Za-z0-9_]+)", 1, ProcessCommandLine)
| where isnotempty(FunctionName)
// Show the key context to identify the credential dumping routine
| project TimeGenerated, DeviceName, AccountName, ProcessId, FunctionName, ProcessCommandLine
| sort by TimeGenerated desc | Incorrect | 1 | 30.27s | 0.0136 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0481 |