Question Analysis
Identify the PowerShell cmdlet used on Windows to format and display the raw volume bytes after an attacker read the boot sector via a DOS device path.
88f6327e-51ec-4bbf-b2e8-3fea534eab8b
Question ID
9/21
Models Correct
1
Valid Answer
43%
Success Rate
Reference Answer
Human-validated correct answer for this question
Format-Hex
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0347 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2333 |
| gpt-4.1 | Format-Hex | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "\\.\\" and (ProcessCommandLine has "PhysicalDrive" or ProcessCommandLine has ":")
| where ProcessCommandLine has_any ("format-hex", "[byte]", "get-content", "-encoding byte", "convertto-hex")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine | Correct | 1 | 7.20s | 0.0118 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0499 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0087 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0021 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0602 |
| gpt-5-high | Format-Hex | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// Cmdlet that formats/displays raw bytes
| where ProcessCommandLine has_any ("format-hex", "fhx")
// Evidence of DOS device path usage (boot sector/raw volume access)
| where ProcessCommandLine matches regex @'(?i)\\\\\.\\(physicaldrive\d+|[a-z]:|harddisk\d+\\partition\d+|globalroot\\device\\harddisk\d+(\\partition\d+)?)'
| extend UsedCmdlet = extract(@'(?i)\b(format-hex|fhx)\b', 1, ProcessCommandLine)
| extend DosDeviceTarget = extract(@'(?i)(\\\\\.\\(?:physicaldrive\d+|[a-z]:|harddisk\d+\\partition\d+|globalroot\\device\\harddisk\d+(?:\\partition\d+)?))', 1, ProcessCommandLine)
| summarize EventCount = count(), Devices = dcount(DeviceId), Accounts = dcount(AccountSid), SampleCommands = make_set(ProcessCommandLine, 5), SampleTargets = make_set(DosDeviceTarget, 5) by UsedCmdlet
| order by EventCount desc | Correct | 2 | 200.05s | 0.1020 |
| gpt-5-mini-high | Format-Hex | union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents
| extend PCmd = tostring(ProcessCommandLine), IPcmd = tostring(InitiatingProcessCommandLine)
| extend PCmdL = tolower(PCmd), IPcmdL = tolower(IPcmd)
// look for Format-Hex (PowerShell) and evidence of DOS device/raw volume access (\\.\ or physicaldrive)
| where (PCmdL contains "format-hex" or PCmdL contains "formathex" or IPcmdL contains "format-hex" or IPcmdL contains "formathex")
and (PCmdL contains "\\\\.\\" or IPcmdL contains "\\\\.\\" or PCmdL contains "physicaldrive" or IPcmdL contains "physicaldrive")
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = AccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = PCmd, InitiatingProcessCommandLine = IPcmd, ReportId, SourceSystem
| sort by TimeGenerated desc
| take 100 | Correct | 2 | 32.84s | 0.0086 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0133 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0082 |
| grok-3-beta | Format-Hex | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('Format-Hex', '\\.\\', 'Read', 'Boot', 'Sector', 'Volume', 'Raw', 'Bytes')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 13.20s | 0.0384 |
| grok-3-mini-beta | Format-Hex | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine contains 'PhysicalDrive' or ProcessCommandLine contains '\\.\\' or ProcessCommandLine contains 'boot sector'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 3 | 39.67s | 0.0043 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7840 |
| o1-low | Format-Hex | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName endswith "powershell.exe"
| where ProcessCommandLine has "Format-Hex"
| where ProcessCommandLine has_any("\\.\\PhysicalDrive", "\\.\\C:")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 27.24s | 0.2012 |
| o3-high | Format-Hex | // Suspicious raw-disk read piped to a formatting cmdlet
DeviceProcessEvents
| where ActionType == "ProcessCreated" // process start events only
| where FileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has "\\.\\" // DOS device path indicator
| where ProcessCommandLine matches regex @"(?i)\\\.\\(PhysicalDrive|Volume|[A-Z]:)" // typical raw volume paths
| where ProcessCommandLine contains_cs "Format-Hex" or ProcessCommandLine contains "format-hex" // cmdlet of interest
// Pull out the cmdlet to make it explicit
| extend CmdletUsed = extract(@"(?i)(Format-Hex)", 1, ProcessCommandLine)
| project TimeGenerated,
DeviceName,
DeviceId,
AccountDomain,
AccountName,
FileName,
ProcessCommandLine,
CmdletUsed,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
SHA256,
ProcessId
| order by TimeGenerated desc | Correct | 1 | 26.96s | 0.0196 |
| o3-mini-high | Format-Hex | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where tolower(ProcessCommandLine) contains "format-hex"
| where tolower(ProcessCommandLine) contains "\\.\\"
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine
| order by TimeGenerated desc | Correct | 4 | 43.60s | 0.0358 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0464 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0424 |
| o4-mini-low | Format-Hex | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Format-Hex"
// Optionally narrow to DOS device paths
| where ProcessCommandLine has "\\.\\"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | Correct | 1 | 30.62s | 0.0103 |