Question Analysis
Investigating a Windows device, you suspect a non-standard executable was launched to set up a named pipe for client-server messaging. Determine the name of the executable that was run.
8dbfc15c-527b-4ab0-a272-019f469d367f
Question ID
5/23
Models Correct
1
Valid Answer
22%
Success Rate
Reference Answer
Human-validated correct answer for this question
namedpipes_executor.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | namedpipes_server.exe | DeviceEvents
| where ActionType contains "Pipe"
| distinct InitiatingProcessFileName | Incorrect | 3 | 57.00s | 0.0298 |
| gpt-35-turbo | namedpipes_executor.exe | DeviceProcessEvents | where ActionType == 'ProcessCreated' | where FileName contains 'pipe' | project FileName, ProcessCommandLine, TimeGenerated | Correct | 1 | 3.29s | 0.0024 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2302 |
| gpt-4.1 | namedpipes_executor.exe | DeviceProcessEvents
| where ProcessCommandLine has "pipe"
| where not(FileName in~ ("svchost.exe", "lsass.exe", "services.exe", "explorer.exe", "wininit.exe", "winlogon.exe"))
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 6.62s | 0.0135 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0409 |
| gpt-4.1-mini | namedpipes_executor.exe | DeviceProcessEvents
| where ProcessCommandLine has 'pipe'
| summarize Count=count() by FileName
| order by Count desc | Correct | 1 | 3.76s | 0.0022 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0517 |
| gpt-5-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2590 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0192 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0186 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0260 |
| gpt-5-nano-high | namedpipes_executor.exe | let Lookback = 24h;
let NPKeywords = dynamic(["CreateNamedPipe", "NamedPipe", "Pipe"]);
(
DeviceProcessEvents
| where TimeGenerated >= ago(Lookback)
| where InitiatingProcessCommandLine has_any ("CreateNamedPipe","NamedPipe","Pipe") or ProcessCommandLine has_any ("CreateNamedPipe","NamedPipe","Pipe")
| extend ExecutableName = coalesce(InitiatingProcessFileName, FileName)
| project TimeGenerated, DeviceName, ExecutableName, InitiatingProcessCommandLine, ProcessCommandLine
)
| union (
DeviceEvents
| where TimeGenerated >= ago(Lookback)
| where InitiatingProcessCommandLine has_any ("CreateNamedPipe","NamedPipe","Pipe")
| extend ExecutableName = InitiatingProcessFileName
| project TimeGenerated, DeviceName, ExecutableName, InitiatingProcessCommandLine
)
| summarize Count = count() by ExecutableName, DeviceName
| sort by Count desc
| take 100 | Correct | 3 | 82.55s | 0.0048 |
| gpt-5-nano-medium | dash | DeviceProcessEvents
| where InitiatingProcessCommandLine != ""
| where InitiatingProcessCommandLine contains "CreateNamedPipe" or InitiatingProcessCommandLine contains "NamedPipe" or InitiatingProcessCommandLine contains "Pipe"
| summarize Count = count(), FirstSeen = min(InitiatingProcessCreationTime), LastSeen = max(InitiatingProcessCreationTime) by ExecutableName = InitiatingProcessFileName, ExecutablePath = InitiatingProcessFolderPath
| sort by Count desc
| take 1
| project ExecutableName, ExecutablePath, Count, FirstSeen, LastSeen | Incorrect | 1 | 52.88s | 0.0026 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0887 |
| grok-3-mini-beta | namedpipes_server.exe | DeviceProcessEvents
| where ProcessCommandLine has "pipe" or InitiatingProcessCommandLine has "pipe"
| project FileName, ProcessCommandLine, InitiatingProcessCommandLine
| distinct FileName
| order by FileName asc | Incorrect | 4 | 51.84s | 0.0056 |
| o1-high | namedpipes_executor.exe | DeviceProcessEvents
| where TimeGenerated >= ago(7d)
// Look for references to named pipe usage
| where tolower(ProcessCommandLine) has "pipe" or tolower(tostring(AdditionalFields)) has "namedpipe"
// Focus on executables outside standard Windows or Program Files paths
| where FileName endswith ".exe"
| where not(FolderPath startswith "C:\\Windows" or FolderPath startswith "C:\\Program Files")
| project TimeGenerated,
DeviceId,
DeviceName,
ActionType,
FolderPath,
FileName,
ProcessCommandLine,
AdditionalFields
| order by TimeGenerated desc
| limit 100 | Correct | 4 | 88.04s | 0.6552 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7948 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1153 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0404 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0461 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0538 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0416 |