// question

An endpoint shows a PowerShell process that downloaded and executed a remote script aimed at extracting credentials from the Windows Credential Manager. Review the process creation logs and identify the function name that was invoked to dump the web credentials.

Reference KQL answer and model-by-model comparison.

8fd5a296-6772-4766-9991-ff4e92af7240
question id
2/23
models correct
1
valid answer
9%
success rate
// reference answer

Human-validated correct answer for this question.

Get-CredManCreds
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
Invoke-Inveigh
DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("iex", "downloadstring", "iwr", "webclient")
| where ProcessCommandLine has_any ("webcredentials", "vaultcmd", "CredentialManager", "VaultCli", "dpapi", "sekurlsa", "::")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
fail375.47s0.0367
gpt-35-turbo
Invoke-WebRequest
DeviceProcessEvents
| where ProcessCommandLine contains 'powershell'
| where ProcessCommandLine contains 'Invoke-Expression' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'Invoke-RestMethod'
| project ProcessCommandLine
fail12.85s0.0027
gpt-4-turbo-2024-04-09
$host.UI.PromptForCredential
DeviceProcessEvents
| where FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe'
| where ProcessCommandLine has_any('DownloadString', 'WebRequest', 'Invoke-WebRequest', 'Invoke-Expression', 'Net.WebClient', 'IEX', 'Invoke')
| where ProcessCommandLine has_any('credentials', 'password', 'secret', 'dump')
| project DeviceName, AccountName, ProcessCommandLine, TimeGenerated, FileName, FolderPath
| summarize CommandLines = make_set(ProcessCommandLine) by DeviceName, FileName
fail430.84s0.1945
gpt-4.1
no answer
no query generatedfail50.00s0.0517
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0496
gpt-4.1-mini
Invoke-WebRequest
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine contains_cs "CredentialManager" or ProcessCommandLine contains_cs "WebCredentials" or ProcessCommandLine contains_cs "dump" or ProcessCommandLine contains_cs "Invoke-WebRequest"
    or InitiatingProcessCommandLine contains_cs "CredentialManager" or InitiatingProcessCommandLine contains_cs "WebCredentials" or InitiatingProcessCommandLine contains_cs "dump" or InitiatingProcessCommandLine contains_cs "Invoke-WebRequest"
| project ProcessCreationTime, DeviceName, ProcessId, InitiatingProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend DumpFunction= extract(@"(Get-WebCredentials|Dump-Credentials|Invoke-WebRequest|Invoke-CredentialDump|Get-Credential|Dump-WebCredentials)" , 1, ProcessCommandLine)
| where isnotempty(DumpFunction)
| order by ProcessCreationTime desc
fail124.06s0.0030
gpt-4.1-nano
wificreds
DeviceProcessEvents
| where TimeGenerated >= ago(7d)  // Adjust time range as necessary
| where FileName in ('powershell.exe', 'pwsh.exe')  // Focus on PowerShell processes
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'Invoke-RestMethod', 'DownloadString', 'Invoke-Expression')  // Commands indicating script download or execution
| project ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime, DeviceName, InitiatingProcessParentFileName, InitiatingProcessParentId
| order by InitiatingProcessCreationTime desc
fail48.57s0.0018
gpt-4o
Get-CredManCreds
DeviceProcessEvents
| where FileName endswith "powershell.exe" and ProcessCommandLine contains "http" and ProcessCommandLine has_any("Credential", "Dump")
| where ActionType == "ProcessCreated"
| extend InvokedFunctionName = tostring(parse_json(AdditionalFields).FunctionName)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, InvokedFunctionName
| order by TimeGenerated desc
pass424.29s0.0376
gpt-5-high
Get-PasswordVaultCredentials
let psh_bins = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
let dl_terms = dynamic(["DownloadString","Invoke-WebRequest","Invoke-RestMethod","iwr","irm","curl","wget","Start-BitsTransfer","Net.WebClient","WebClient"]);
let exec_terms = dynamic(["iex","Invoke-Expression"]);
let func_re = "(?i)\\b((?:Invoke|Get|Dump|Search|Show|Out|New|Set|Export|Read)-?(?:Web|Cred|Credential|Credman|Vault)[A-Za-z]*|DumpCreds|Invoke-WCMDump|Invoke-CredManDump)\\b";
let base = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ (psh_bins)
| project TimeGenerated, DeviceId, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine;
let dec = base
| extend EncArg = extract("(?i)(?:^|\\s)(?:-|/)(?:enc|encodedcommand|encoded|e|ec)\\s+['\\\"]?([A-Za-z0-9+/=]{20,})['\\\"]?", 1, ProcessCommandLine)
| where isnotempty(EncArg)
| extend Decoded = base64_decode_tostring(EncArg)
| extend Cmd = strcat(ProcessCommandLine, " ; ", Decoded);
let plain = base
| where isempty(extract("(?i)(?:^|\\s)(?:-|/)(?:enc|encodedcommand|encoded|e|ec)\\b", 0, ProcessCommandLine))
| extend Cmd = ProcessCommandLine;
union dec, plain
| extend CmdN = replace_string(Cmd, "`", "")
| where (CmdN contains "http" or CmdN contains "https")
| where CmdN has_any (dl_terms) and CmdN has_any (exec_terms)
| extend Functions = extract_all(func_re, CmdN)
| mv-expand Functions
| where isnotempty(Functions)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count(), SampleCmd=any(CmdN) by InvokedFunction=tostring(Functions), DeviceName
| order by LastSeen desc
fail5435.41s0.2477
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0286
gpt-5-mini-low
Get-PasswordVaultCredentials
let suspects = DeviceProcessEvents
| where Timestamp between (startofday(ago(7d)) .. now())
| where tolower(FileName) has_any ("powershell", "pwsh", "wsmprovhost")
| where ProcessCommandLine has_any ("Invoke-Expression", "IEX", "Invoke-WebRequest", "wget", "curl", "DownloadString", "DownloadFile", "Invoke-RestMethod", "-EncodedCommand", "-Command")
| project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, ProcessCreationTime, FileName, ProcessCommandLine, AdditionalFields;

// also include DeviceEvents which may include script blocks or network download details
let devEvents = DeviceEvents
| where Timestamp between (startofday(ago(7d)) .. now())
| where tolower(FileName) has_any ("powershell", "pwsh", "wsmprovhost")
| project Timestamp, DeviceId, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, AdditionalFields, RemoteUrl, FileOriginUrl;

suspects
| union devEvents
| extend cmd = tostring(ProcessCommandLine)
| extend combined = strcat(cmd, " ", tostring(AdditionalFields), " ", tostring(RemoteUrl), " ", tostring(FileOriginUrl))
// look for likely function names that reference credential manager or web credentials
| extend fn_candidates = extract_all(@"(?i)(Get|Dump|Export|Read|Find|Unlock)?-?(Web|WinCred|Credential|Cred|StoredCredential|Vault|CredentialManager|Password|Chrome|Edge|Firefox)[A-Za-z0-9_\-]*", combined)
| mv-expand fn_candidates to typeof(string)
| where isnotempty(fn_candidates)
| summarize count = count(), any_CommandLine = any(cmd), any_InitiatingProcess = any(InitiatingProcessCommandLine), any_AdditionalFields = any(AdditionalFields) by FunctionName = fn_candidates, DeviceId, DeviceName
| sort by count desc
| take 50
fail114.02s0.0030
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0192
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0079
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0078
grok-3-beta
Get-CredManCreds
let TimeRange = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeRange
| where InitiatingProcessFileName =~ "powershell.exe" or FileName =~ "powershell.exe"
| where ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Expression"
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp >= TimeRange
    | where RemoteUrl != ""
    | summarize FirstRemoteUrl = min(RemoteUrl) by DeviceId, InitiatingProcessId, Timestamp
) on DeviceId, InitiatingProcessId
| where ProcessCommandLine matches regex @"(?i)(credential|password|dump|extract|get|vault|credman)"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, RemoteUrl=FirstRemoteUrl, ProcessId, InitiatingProcessId
| order by Timestamp desc
pass220.97s0.0452
grok-3-mini-beta
Get-PasswordVaultCredentials
DeviceProcessEvents
| where FileName has "powershell.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "downloadstring", "credential", "CredEnumerate")
| project TimeGenerated, DeviceName, ProcessCommandLine, ProcessId
| order by TimeGenerated desc
fail117.26s0.0023
o1-high
Get-PasswordVaultCredentials
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FileName) has "powershell"
| where tolower(ProcessCommandLine) has_any ("download", "iwr", "wget", "curl", "invoke-webrequest", "system.net.webclient", "invoke-expression", "iex", "new-object net.webclient", "invoke-restmethod")
| where tolower(ProcessCommandLine) contains "vault" or tolower(ProcessCommandLine) contains "cred"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
fail4130.91s0.9809
o1-low
no answer
no query generatedfail50.00s0.9557
o3-high
Get-PasswordVaultCredentials
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// --- Remote download & execution indicators
| where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-RestMethod", "New-Object Net.WebClient", "iwr", "irm", "wget", "curl", "Start-BitsTransfer")
// --- Credential-manager related keywords
| where ProcessCommandLine has_any ("Vault", "Cred", "Credential", "CredEnumerate", "VaultCmd")
// --- Extract name of the function/cmdlet that dumps the web creds
| extend FunctionInvoked = iff(
        ProcessCommandLine matches regex @"\b((Get|Invoke|Set|Remove|New|Import|Export|Clear)-[A-Za-z][A-Za-z0-9]*Cred[A-Za-z0-9]*)\b",
        extract(@"\b((Get|Invoke|Set|Remove|New|Import|Export|Clear)-[A-Za-z][A-Za-z0-9]*Cred[A-Za-z0-9]*)\b", 1, ProcessCommandLine),
        iff(ProcessCommandLine has "CredEnumerate", "CredEnumerate", iff(ProcessCommandLine has "VaultCmd", "VaultCmd", "")))
| where isnotempty(FunctionInvoked)
| project TimeGenerated, DeviceName, ProcessCommandLine, FunctionInvoked
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), CommandLineSample=any(ProcessCommandLine) by DeviceName, FunctionInvoked
| order by LastSeen desc
fail153.58s0.0313
o3-mini-high
Minidump
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("http", "https")
// Extract any function name containing 'Dump' (case-insensitive)
| extend DumpFunction = extract("(?i)([A-Za-z0-9_]+Dump[A-Za-z0-9_]*)", 1, ProcessCommandLine)
| where isnotempty(DumpFunction)
| project TimeGenerated, DeviceName, ProcessCommandLine, DumpFunction
fail230.83s0.0204
o3-mini-low
no answer
no query generatedfail50.00s0.0423
o4-mini-high
Seatbelt
DeviceProcessEvents
| where FileName == "powershell.exe"
// Only include runs that reference a .ps1 script (likely downloaded)
| where ProcessCommandLine contains ".ps1"
// Look for any Invoke- function call in the parameters
| where ProcessCommandLine matches regex @"Invoke-[A-Za-z0-9_]+"
// Extract the function name invoked to dump credentials
| extend FunctionName = extract(@"Invoke-([A-Za-z0-9_]+)", 1, ProcessCommandLine)
| where isnotempty(FunctionName)
// Show the key context to identify the credential dumping routine
| project TimeGenerated, DeviceName, AccountName, ProcessId, FunctionName, ProcessCommandLine
| sort by TimeGenerated desc
fail130.27s0.0136
o4-mini-low
no answer
no query generatedfail50.00s0.0481