Question Analysis
During a Linux investigation, you notice processes spawning curl and wget commands that pull a script from a remote GitHub raw URL and pipe it into bash. Identify the name of the script that was retrieved and executed.
d0c88567-803d-4dca-99b4-7ce65e7b257c
Question ID
4/16
Models Correct
1
Valid Answer
25%
Success Rate
Reference Answer
Human-validated correct answer for this question
echo-art-fish.sh
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0330 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0114 |
| gpt-4-turbo-2024-04-09 | LinEnum.sh | DeviceProcessEvents
| where ProcessCommandLine has_any('curl', 'wget') and ProcessCommandLine contains 'bash'
| extend ScriptUrl = tostring(split(ProcessCommandLine, '|')[0])
| extend ScriptName = tostring(split(ScriptUrl, '/')[array_length(split(ScriptUrl, '/')) - 1])
| project DeviceName, FileName, ProcessCommandLine, ScriptUrl, ScriptName | Incorrect | 1 | 14.74s | 0.0732 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0434 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0426 |
| gpt-4.1-mini | pipe-to-shell.sh | DeviceProcessEvents
| where ProcessCommandLine contains @"curl" or ProcessCommandLine contains @"wget"
| where ProcessCommandLine contains @"raw.githubusercontent.com"
| where ProcessCommandLine contains @"bash" or ProcessCommandLine contains @"| bash"
| extend ScriptUrl = extract(@"https?://raw\.githubusercontent\.com[^\s|]+", 0, ProcessCommandLine)
| extend ScriptName = extract(@"[^/]+$", 0, ScriptUrl)
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptUrl, ScriptName
| distinct ScriptName, DeviceName, TimeGenerated, ProcessCommandLine, ScriptUrl | Incorrect | 1 | 20.65s | 0.0029 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0017 |
| gpt-4o | AutoSUID.sh | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "curl" or InitiatingProcessCommandLine contains "wget"
| where InitiatingProcessCommandLine matches regex @"https:\/\/raw.githubusercontent.com\/.*\.sh" and InitiatingProcessCommandLine contains "bash"
| extend ScriptName = extract(@"[\w-]+\.sh", 0, InitiatingProcessCommandLine)
| project Timestamp, DeviceId, DeviceName, InitiatingProcessCommandLine, ScriptName | Incorrect | 1 | 24.29s | 0.0201 |
| grok-3-beta | echo-art-fish.sh | DeviceProcessEvents
| where ProcessCommandLine contains 'curl' or ProcessCommandLine contains 'wget'
| where ProcessCommandLine contains 'github'
| where ProcessCommandLine contains '| bash'
| extend ScriptName = extract('.*\\/([^\\/\\?\\s]+)', 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, ScriptName
| order by Timestamp desc | Correct | 5 | 39.67s | 0.0947 |
| grok-3-mini-beta | pipe-to-shell.sh | DeviceProcessEvents
| where ProcessCommandLine matches regex @'\bcurl\b.*\|\b.*\bbash\b' or ProcessCommandLine matches regex @'\bwget\b.*\|\b.*\bbash\b'
| extend FullURL = extract(@'(https?://[^\s|]+)', 1, ProcessCommandLine)
| extend arr = split(FullURL, '/')
| extend ScriptName = arr[array_length(arr) - 1]
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName
| summarize ScriptNames = make_set(ScriptName) by DeviceName | Incorrect | 3 | 36.57s | 0.0045 |
| o1-high | LinEnum.sh | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any ("curl", "wget")
| where ProcessCommandLine has "raw.githubusercontent.com" and ProcessCommandLine has "bash"
| extend DownloadedUrl = extract(@"(https?:\/\/[^\s|]+)", 0, ProcessCommandLine)
| extend ScriptName = extract(@"\/([^\/\?]+)(\?.*)?$", 1, DownloadedUrl)
| project TimeGenerated, DeviceId, DeviceName, AccountName, ProcessCommandLine, DownloadedUrl, ScriptName
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by DeviceId, DeviceName, AccountName, ScriptName
| order by EndTime desc | Incorrect | 2 | 115.36s | 0.6308 |
| o1-low | echo-art-fish.sh | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(InitiatingProcessCommandLine) has_any ("curl", "wget")
and tolower(InitiatingProcessCommandLine) has "raw.githubusercontent.com"
and tolower(InitiatingProcessCommandLine) has "| bash"
| extend ScriptName = extract(@"raw\.githubusercontent\.com[^ ]+/(?<script>[^ ]+)", 1, tolower(InitiatingProcessCommandLine))
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ScriptName
| order by Timestamp desc | Correct | 3 | 61.01s | 0.5518 |
| o3-mini-high | echo-art-fish.sh | DeviceProcessEvents
| where ProcessCommandLine has_any ("curl", "wget")
| where ProcessCommandLine contains "raw.githubusercontent.com"
| where ProcessCommandLine contains "| bash"
| extend ScriptName = extract(@"https?://raw\.githubusercontent\.com/[^/]+/[^/]+/[^/]+/([^ \|]+)", 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| summarize Occurrences = count() by ScriptName, ProcessCommandLine
| order by Occurrences desc | Correct | 1 | 13.12s | 0.0088 |
| o3-mini-low | LinEnum.sh | DeviceProcessEvents
| where ProcessCommandLine has_any ("curl", "wget")
| where ProcessCommandLine contains "raw.githubusercontent.com"
| where ProcessCommandLine contains "bash"
| extend ScriptName = extract(@"raw\.githubusercontent\.com/\S+/([^/]+\.sh)", 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| distinct ScriptName | Incorrect | 1 | 61.96s | 0.0116 |
| o4-mini-high | echo-art-fish.sh | DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now()) // timerange will be set by the external control
| where ProcessCommandLine has_any ("curl", "wget")
| where ProcessCommandLine contains "raw.githubusercontent.com"
| where ProcessCommandLine contains "bash" or ProcessCommandLine contains "|"
// Extract the raw.githubusercontent.com URL
| extend DownloadUrl = extract(@"(https?://raw\.githubusercontent\.com/[^\s|]+)", 1, ProcessCommandLine)
| where isnotempty(DownloadUrl)
// Parse out the script name (last segment of the URL)
| extend ScriptName = tostring(split(DownloadUrl, "/")[array_length(split(DownloadUrl, "/")) - 1])
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, DownloadUrl, ScriptName
| sort by TimeGenerated desc | Correct | 1 | 30.30s | 0.0134 |
| o4-mini-low | pipe-to-shell.sh | DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Only look for curl or wget invocations
| where ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget"
// Focus on raw GitHub URLs
| where ProcessCommandLine contains "raw.githubusercontent.com"
// Extract the full URL being fetched
| extend DownloadUrl = extract(@"(https?://raw\.githubusercontent\.com/[^\s'""\|]+)", 1, ProcessCommandLine)
| where isnotempty(DownloadUrl)
// Derive the script name from the URL by taking the last path segment
| extend ScriptName = tostring(split(DownloadUrl, "/")[-1])
// Filter for typical shell script extensions
| where ScriptName endswith ".sh" or ScriptName endswith ".bash"
// Summarize by script name to see which scripts were pulled and executed
| summarize Count = count() by ScriptName
| sort by Count desc | Incorrect | 4 | 108.17s | 0.0301 |