Question Analysis
On a Windows device, an attacker ran a PowerShell script to collect system settings including UI language and locale. Identify which cmdlet in the command line was used to obtain the system locale.
1f23bfe8-36d4-49ce-903a-19a1e8c6631b
Question ID
9/16
Models Correct
1
Valid Answer
56%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-WinSystemLocale
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0183 |
| gpt-35-turbo | Get-WinSystemLocale | DeviceProcessEvents | where ProcessCommandLine contains 'Get-WinSystemLocale' | Correct | 1 | 3.05s | 0.0030 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2293 |
| gpt-4.1 | Get-WinSystemLocale | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture", "Get-UICulture")
| extend CmdletUsed = case(ProcessCommandLine has "Get-WinSystemLocale", "Get-WinSystemLocale", ProcessCommandLine has "Get-Culture", "Get-Culture", ProcessCommandLine has "Get-UICulture", "Get-UICulture", "Unknown")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, CmdletUsed | Correct | 1 | 4.75s | 0.0117 |
| gpt-4.1-finetuned | Get-WinSystemLocale | DeviceProcessEvents
| where ProcessCommandLine has "Get-Culture" or ProcessCommandLine has "CultureInfo" or ProcessCommandLine has "CultureInfo"
| distinct ProcessCommandLine
| take 10 | Correct | 5 | 37.73s | 0.0359 |
| gpt-4.1-mini | Get-WinSystemLocale | DeviceProcessEvents
| where InitiatingProcessFileName has_cs "powershell.exe"
and (ProcessCommandLine has "Get-Culture" or ProcessCommandLine has "Get-UICulture" or ProcessCommandLine has "Get-WinSystemLocale" or ProcessCommandLine has "Get-WinUserLanguageList")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by Timestamp desc | Correct | 2 | 19.90s | 0.0030 |
| gpt-4.1-nano | Get-WinSystemLocale | DeviceProcessEvents
| where ProcessCommandLine contains 'Get-Culture' or ProcessCommandLine contains 'Get-WinSystemLocale'
| project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId | Correct | 1 | 2.89s | 0.0005 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0481 |
| grok-3-beta | wmic | DeviceProcessEvents
| where InitiatingProcessFileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine has_any ('Get-Culture', 'Get-UICulture', 'locale', 'language', 'region')
| project DeviceName, Timestamp, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
| order by Timestamp desc | Incorrect | 1 | 10.57s | 0.0213 |
| grok-3-mini-beta | Get-WinSystemLocale | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine contains 'Get-Culture' or ProcessCommandLine contains 'Get-WinSystemLocale'
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
| order by Timestamp desc | Correct | 1 | 11.37s | 0.0016 |
| o1-high | Get-WinSystemLocale | union DeviceEvents,
DeviceFileEvents,
DeviceImageLoadEvents,
DeviceLogonEvents,
DeviceNetworkEvents,
DeviceProcessEvents,
DeviceRegistryEvents
| where TimeGenerated >= ago(7d)
// Combine possible command line fields for different event types
| extend FullCommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields.CommandLine)
| where isnotempty(FullCommandLine)
| where tolower(FullCommandLine) has "powershell"
and tolower(FullCommandLine) has_any ("get-culture", "get-uiculture", "get-winsystemlocale", "locale")
// Extract the relevant cmdlet name found
| extend LocaleCmdlet = extract(@"(get-culture|get-uiculture|get-winsystemlocale|locale)", 0, tolower(FullCommandLine))
| project TimeGenerated,
DeviceName,
FullCommandLine,
LocaleCmdlet,
InitiatingProcessAccountName,
InitiatingProcessAccountDomain
| order by TimeGenerated desc | Correct | 5 | 105.49s | 0.7295 |
| o1-low | Get-WinSystemLocale | DeviceProcessEvents
| where TimeGenerated >= ago(14d) // Adjust the time range as needed
| where (InitiatingProcessCommandLine contains "powershell" or ProcessCommandLine contains "powershell"
or InitiatingProcessCommandLine contains "pwsh" or ProcessCommandLine contains "pwsh")
| where (InitiatingProcessCommandLine has_any ("Get-Culture","Get-UICulture","Get-WinSystemLocale","wmic os get locale","Get-CimInstance","Get-WmiObject","Win32_OperatingSystem")
or ProcessCommandLine has_any ("Get-Culture","Get-UICulture","Get-WinSystemLocale","wmic os get locale","Get-CimInstance","Get-WmiObject","Win32_OperatingSystem"))
| project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 63.57s | 0.4904 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0348 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0387 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0456 |
| o4-mini-low | Get-WinSystemLocale | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine matches regex @"(?i)Get-(Culture|UICulture|WinSystemLocale)"
| extend Cmdlet = extract(@"(?i)(Get-(?:Culture|UICulture|WinSystemLocale))", 1, ProcessCommandLine)
| summarize Count = count(), SampleCommandLine = any(ProcessCommandLine) by Cmdlet
| order by Count desc | Correct | 2 | 72.13s | 0.0162 |