Question Analysis
On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written?
7e91138a-8e74-456d-a007-973d67a0bb80
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1003.007.bin
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | /tmp/T1003.007.bin | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "dd" and ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "/mem"
| extend OutputFileName = extract(@"of=([^ ]+)", 1, ProcessCommandLine)
| where isnotempty(OutputFileName)
| project TimeGenerated, DeviceName, ProcessCommandLine, OutputFileName
| order by TimeGenerated asc | Correct | 1 | 12.52s | 0.0066 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0110 |
| gpt-4-turbo-2024-04-09 | T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine has 'dd' and ProcessCommandLine has '/proc/' and ProcessCommandLine has '/mem'
| parse ProcessCommandLine with * 'of=' FileName ' ' *
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, ProcessId, FileName | Correct | 4 | 29.78s | 0.2129 |
| gpt-4.1 | /tmp/T1003.007.bin | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName == "dd" or ProcessCommandLine has "dd "
| where ProcessCommandLine matches regex @"if=/proc/\d+/mem"
| extend outputFile = extract(@"of=([^\s]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, outputFile
| where isnotempty(outputFile) | Correct | 1 | 5.03s | 0.0114 |
| gpt-4.1-finetuned | /tmp/T1003.007.bin | DeviceProcessEvents
| where FileName in~ ("dd", "dd.exe")
// Look for command with the input file i.e. if=/proc/PID/mem
| where ProcessCommandLine has_all ("if=/proc", "/mem")
// Project the output file after the 'of=' syntax in the command
| extend DumpWrittenOnHostFile = trim(@"'", tostring(extract(@"of=([\w-\.:/\\]*?) ",1,ProcessCommandLine )))
| where isnotempty(DumpWrittenOnHostFile)
| summarize any(*) by DumpWrittenOnHostFile
| order by tostring(DumpWrittenOnHostFile) asc
| take 50
// Project only the output file name in the memory dump file
| project DumpWrittenOnHostFile //, *
// Uncomment to show results and files dropped by each host
// | extend HostName = tostring(split(DeviceName, '.') [0]), DnsDomain = tostring(strcat_array(array_slice(split(DeviceName, '.'), 1, -1), '.'))
| Correct | 5 | 32.11s | 0.0220 |
| gpt-4.1-mini | /tmp/T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine has "dd" and ProcessCommandLine matches regex @"/proc/[0-9]+/mem"
| extend OutputFile = extract(@"of=([^\s]+)", 1, ProcessCommandLine)
| where isnotempty(OutputFile)
| summarize count() by OutputFile
| order by count_ desc | Correct | 1 | 18.58s | 0.0022 |
| gpt-4.1-nano | T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine contains 'dd' and ProcessCommandLine contains '/proc/' and ProcessCommandLine contains 'mem'
| project TimeGenerated, ProcessId, ProcessCommandLine
| extend OutputFile=extract("of=([^ ]+)", 1, ProcessCommandLine)
| where isnotempty(OutputFile) | Correct | 3 | 25.47s | 0.0014 |
| gpt-4o | /tmp/T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine contains "dd" and ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "/mem"
| project InitiatingProcessCommandLine, FileName | Correct | 2 | 5.22s | 0.0329 |
| grok-3-beta | /tmp/T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine contains "dd"
| where ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "mem"
| extend OutputFile = extract("of=([^\\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, ProcessCommandLine, OutputFile, AccountName, InitiatingProcessFileName
| order by Timestamp desc | Correct | 3 | 36.99s | 0.0635 |
| grok-3-mini-beta | /tmp/T1003.007.bin | let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (LinuxDevices)
| where FileName == "dd"
| where ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "mem"
| extend OutputFile = extract(@"of=([^ ]+)", 1, ProcessCommandLine)
| project Timestamp, ProcessCommandLine, OutputFile
| summarize arg_max(Timestamp, *) by OutputFile | Correct | 1 | 17.11s | 0.0016 |
| o1-high | /tmp/T1003.007.bin | DeviceProcessEvents
| where ActionType in ("CreateProcess", "ProcessCreated")
| project TimeGenerated, DeviceId, DeviceName, ProcessCommandLine
// Join with DeviceInfo to ensure we only look at Linux systems
| join kind=inner (
DeviceInfo
| project DeviceId, OSPlatform
) on DeviceId
| where OSPlatform == "Linux"
| where ProcessCommandLine has "dd "
and ProcessCommandLine has "if=/proc/"
and ProcessCommandLine has "/mem"
and ProcessCommandLine has " of="
| parse kind=regex ProcessCommandLine with * "if=" Source " of=" DumpFile " " *
| project TimeGenerated, DeviceName, Source, DumpFile
| order by TimeGenerated desc | Correct | 1 | 40.48s | 0.3006 |
| o1-low | /tmp/T1003.007.bin | let LinuxDevices = DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceProcessEvents
| where DeviceId in (LinuxDevices)
| where ActionType == "ProcessCreated"
| where FileName =~ "dd"
| where ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "/mem"
| extend DumpedFile = extract(@"of=([^\s]+)",1,ProcessCommandLine)
| where isnotempty(DumpedFile)
| project TimeGenerated, DeviceName, ProcessCommandLine, DumpedFile
| order by TimeGenerated desc | Correct | 3 | 66.08s | 0.4989 |
| o3-mini-high | T1003.007.bin | DeviceProcessEvents
| where InitiatingProcessCommandLine has "dd"
| where InitiatingProcessCommandLine has "if=/proc/" and InitiatingProcessCommandLine has "mem"
| extend dump_file = extract(@"of=(\S+)", 1, InitiatingProcessCommandLine)
| where isnotempty(dump_file)
| project TimeGenerated, InitiatingProcessCommandLine, dump_file | Correct | 1 | 25.09s | 0.0149 |
| o3-mini-low | T1003.007.bin | DeviceProcessEvents
| where ProcessCommandLine has "dd"
| where ProcessCommandLine has "if=/proc/" and ProcessCommandLine has "mem"
| extend DumpFile = extract(@"of=([^ \t]+)", 1, ProcessCommandLine)
| where isnotempty(DumpFile)
| project TimeGenerated, ProcessCommandLine, DumpFile
| order by TimeGenerated desc | Correct | 1 | 36.77s | 0.0117 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0369 |
| o4-mini-low | /tmp/T1003.007.bin | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has "dd" and ProcessCommandLine has "if=/proc/"
| extend DumpFile = extract(@"of=(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, DumpFile | Correct | 1 | 34.05s | 0.0109 |