Question Analysis
Analyze Windows process events for any schtasks.exe commands that created a new task invoking PowerShell. What is the name of the .ps1 script specified to run?
f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
Question ID
9/16
Models Correct
1
Valid Answer
56%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1036.004_NonExistingScript.ps1
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName == "schtasks.exe"
| where ProcessCommandLine has "/create" and ProcessCommandLine has_any ("powershell", "pwsh")
| extend ScriptFileName = extract(@'\b([a-zA-Z0-9_.-]+\.ps1)\b', 1, ProcessCommandLine)
| where isnotempty(ScriptFileName)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ScriptFileName | Correct | 1 | 14.39s | 0.0066 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0120 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2367 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0582 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0553 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0067 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0013 |
| gpt-4o | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName == "schtasks.exe" and ProcessCommandLine contains "powershell"
| extend PSFileName = extract(@"([\w\/\:\-]+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(PSFileName)
| project DeviceId, DeviceName, ProcessCommandLine, PSFileName, TimeGenerated | Correct | 2 | 5.73s | 0.0277 |
| grok-3-beta | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName contains 'schtasks.exe'
| where ProcessCommandLine has_any ('/create', '-create')
| where ProcessCommandLine has 'powershell'
| extend ScriptName = extract('[^a-zA-Z0-9]([a-zA-Z0-9\\-_.]+\\.ps1)[^a-zA-Z0-9]', 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ScriptName
| order by Timestamp desc | Correct | 1 | 9.77s | 0.0218 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| o1-high | c:\T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName == "schtasks.exe"
| where ProcessCommandLine has " /create " and ProcessCommandLine has "powershell"
| extend ScriptName = extract(@"([A-Za-z0-9\\/\-_.:]+\.ps1)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptName
| order by TimeGenerated desc | Correct | 1 | 40.90s | 0.1748 |
| o1-low | c:\T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName == "schtasks.exe"
| where ProcessCommandLine has_any ("/create", "create")
| where ProcessCommandLine has_any ("powershell", "powershell.exe")
| extend Ps1Script = extract(@"(\S+\.ps1)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, Ps1Script | Correct | 1 | 31.28s | 0.2128 |
| o3-mini-high | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where tolower(FileName) == "schtasks.exe"
| where ProcessCommandLine has "powershell" and ProcessCommandLine has ".ps1"
| extend ScriptName = extract(@"(\S+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project TimeGenerated, DeviceName, ScriptName, ProcessCommandLine | Correct | 1 | 12.02s | 0.0089 |
| o3-mini-low | c:\T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine contains "/create"
| where ProcessCommandLine contains "PowerShell"
| where ProcessCommandLine contains ".ps1"
| extend ScriptName = extract(@"(?i)(\S+\.ps1)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName
| distinct ScriptName, DeviceName, TimeGenerated | Correct | 1 | 39.69s | 0.0089 |
| o4-mini-high | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName == "schtasks.exe"
and ProcessCommandLine has "/create"
and ProcessCommandLine contains "-file"
and ProcessCommandLine contains ".ps1"
| extend ScriptName = extract(@"(?i)-file\s+""?([^""\s]+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ScriptName
| sort by TimeGenerated desc | Correct | 4 | 156.42s | 0.0424 |
| o4-mini-low | T1036.004_NonExistingScript.ps1 | DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has "powershell"
| parse ProcessCommandLine with * "-File " ScriptNameRaw:string ".ps1" *
| extend Ps1Script = strcat(trim('"', ScriptNameRaw), ".ps1")
| where isnotempty(Ps1Script)
| project TimeGenerated, DeviceName, AccountName, Ps1Script, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 3 | 335.93s | 0.0702 |