Question Analysis
On a Linux host, process execution logs show a chmod invocation with a recursive flag. Which file or folder was targeted by this recursive permission change?
ea79f937-4a4d-4348-ace6-9916aec453a4
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1222.002
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where FileName == "chmod"
| where ProcessCommandLine has "-R" or ProcessCommandLine has "-r"
// Extract the target path assuming it's the first sequence of non-space characters after the recursive flag and a space.
// This regex (?:-R|-r)\s+(\S+) matches:
// (?:-R|-r) - a non-capturing group for either "-R" or "-r"
// \s+ - one or more whitespace characters
// (\S+) - one or more non-whitespace characters (this is captured in group 1)
| extend TargetedPath = extract(@"(?:-R|-r)\s+(\S+)", 1, ProcessCommandLine)
| where isnotempty(TargetedPath) // Filter out events where extraction failed or didn't find a target
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, TargetedPath, AccountName, AccountDomain | Correct | 1 | 25.72s | 0.0131 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0110 |
| gpt-4-turbo-2024-04-09 | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where InitiatingProcessCommandLine contains 'chmod' and InitiatingProcessCommandLine contains '-R'
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FolderPath | Correct | 1 | 12.89s | 0.1258 |
| gpt-4.1 | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where FileName == "chmod" or ProcessCommandLine has "chmod"
| where ProcessCommandLine has "-R" or ProcessCommandLine has "--recursive"
| extend TargetPath = extract("chmod .*-R(?:[ =]?|[[:space:]]+| --recursive[ =]?)([^ ]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, AccountDomain, ProcessCommandLine, TargetPath
| order by TimeGenerated desc | Correct | 1 | 6.75s | 0.0144 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0514 |
| gpt-4.1-mini | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where FileName == "chmod" and (ProcessCommandLine has "-R" or ProcessCommandLine has "--recursive")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, TargetPath = strcat(FolderPath, "/", FileName), ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 22.23s | 0.0041 |
| gpt-4.1-nano | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where ActionType == 'ProcessCreated' and FileName endswith 'chmod'
| where ProcessCommandLine contains '-R' or ProcessCommandLine contains '--recursive'
| extend TargetPath = extract(@'chmod\s+[\S]+\s+(\S+)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, TargetPath
| where isnotempty(TargetPath)
| take 10 | Correct | 2 | 5.71s | 0.0007 |
| gpt-4o | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where InitiatingProcessCommandLine contains "chmod" and InitiatingProcessCommandLine contains "-R"
| extend TargetFileOrFolder = extract(@"chmod\s.*\-R\s(\S+)", 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, TargetFileOrFolder, InitiatingProcessCommandLine | Correct | 3 | 30.53s | 0.0551 |
| grok-3-beta | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where ProcessCommandLine has 'chmod' and (ProcessCommandLine has '-R' or ProcessCommandLine has '--recursive')
| join kind=inner DeviceInfo on DeviceId
| where OSPlatform contains 'Linux'
| extend TargetPath = extract('chmod[^>]*[ ]+[^ ]*[ ]+([^ ]+)', 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, TargetPath
| order by Timestamp desc | Correct | 1 | 10.84s | 0.0435 |
| grok-3-mini-beta | /tmp/AtomicRedTeam/atomics/T1222.002 | let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (LinuxDevices)
| where ProcessCommandLine contains "chmod" and ProcessCommandLine contains "-R"
| extend TargetPath = extract(@"chmod\s+-R\s+\\S+\\s+([^\\s]+)", 1, ProcessCommandLine) // Extracts the path after chmod -R and its arguments
| project Timestamp, DeviceName, ProcessCommandLine, TargetPath
| order by Timestamp desc
| limit 100 // Limits results for performance; adjust as needed | Correct | 1 | 21.76s | 0.0031 |
| o1-high | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where DeviceId in (DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId)
| where FileName == "chmod"
| where ProcessCommandLine contains "-R" or ProcessCommandLine contains "--recursive"
// Attempt to capture the last command line argument as the target path:
| extend TargetPath = extract(@"(/\S+)$", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, FolderPath, ProcessCommandLine, TargetPath
| order by TimeGenerated desc | Correct | 1 | 40.60s | 0.2810 |
| o1-low | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId
| join (
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "chmod"
| where ProcessCommandLine has_any ("-R", "--recursive")
) on DeviceId
| project TimeGenerated, DeviceName, FolderPath, ProcessCommandLine | Correct | 1 | 38.95s | 0.2636 |
| o3-mini-high | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where ProcessCommandLine contains "chmod" and ProcessCommandLine contains "-R"
| extend Target = extract(@"-R\s+(?:[0-7]{3}\s+)?([^\s]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, Target | Correct | 2 | 71.99s | 0.0233 |
| o3-mini-low | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where ProcessCommandLine has "chmod" and ProcessCommandLine has "-R"
| extend Target = extract(@"chmod\s+-R\s+(?:[0-7]{3,4}\s+)?(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, Target
| order by TimeGenerated desc | Correct | 1 | 35.76s | 0.0136 |
| o4-mini-high | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where ProcessCommandLine contains "chmod"
| where ProcessCommandLine matches regex @"chmod\s+(?:-[^\s]*\s+)*-R"
| extend TargetPath = extract(@"chmod\s+(?:-[^\s]*\s+)*-R\s+([^\s]+)", 1, ProcessCommandLine)
| join kind=inner (
DeviceInfo
| where OSPlatform == "Linux"
| project DeviceId
) on DeviceId
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TargetPath | Correct | 1 | 39.50s | 0.0132 |
| o4-mini-low | /tmp/AtomicRedTeam/atomics/T1222.002 | DeviceProcessEvents
| where FileName == "chmod"
| where ProcessCommandLine has "-R"
| extend args = split(ProcessCommandLine, " ")
| extend target = args[array_length(args) - 1]
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, target | Correct | 1 | 29.59s | 0.0108 |