Question Analysis
Investigate Windows process events for PowerShell activity that leverages WMI to register a scheduled task via XML import. What was the name of the XML file supplied to the RegisterByXml method?
e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
Question ID
3/16
Models Correct
1
Valid Answer
19%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1053_005_WMI.xml
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0717 |
| gpt-35-turbo | T1053_005_WMI.xml | DeviceProcessEvents
| where ProcessCommandLine has "PowerShell" and ProcessCommandLine has "RegisterByXml"
| extend XmlFileName = tostring(AdditionalFields.XmlFileName)
| project TimeGenerated, ProcessId, ProcessCommandLine, XmlFileName | Correct | 1 | 3.32s | 0.0027 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2373 |
| gpt-4.1 | C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "RegisterByXml" or ProcessCommandLine has "RegisterTaskDefinition" or ProcessCommandLine has "RegisterTask"
| where ProcessCommandLine has ".xml"
| extend XMLFileName = extract(@"([\w\d:\\/_\-\.]+\.xml)", 1, ProcessCommandLine)
| where isnotempty(XMLFileName)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, XMLFileName | Correct | 1 | 7.22s | 0.0129 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0452 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0085 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0623 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0893 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| o1-high | C:\AtomicRedTeam\atomics\T1053.005\src\T1053_005_WMI.xml | // Investigate PowerShell activity leveraging WMI to register a scheduled task via XML import
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "RegisterByXml"
| extend XmlFileName = extract(@"(?i)([A-Z]:\\[\w\\.\-]+\.xml)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceId, DeviceName, AccountName, ProcessCommandLine, XmlFileName
| order by TimeGenerated desc | Correct | 1 | 38.08s | 0.2797 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8630 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0424 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0470 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0586 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0403 |