Question Analysis
On a Windows device, review the process execution logs to find instances where a built-in listing tool was piped into a string filter. Identify the process name that the attacker was searching for.
11ba69ee-902e-4a0f-b3b6-418aed7d7ddb
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
lsass
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | lsass | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "|" and (ProcessCommandLine contains "findstr" or ProcessCommandLine contains "find.exe" or ProcessCommandLine contains "Select-String")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine | Correct | 1 | 14.76s | 0.0082 |
| gpt-35-turbo | vssadmin.exe | DeviceProcessEvents
| where ProcessCommandLine contains ' | findstr '
| project ExtractedProcessName = tostring(split(ProcessCommandLine, ' | findstr ')[0]) | Incorrect | 1 | 3.10s | 0.0026 |
| gpt-4-turbo-2024-04-09 | cmd.exe | DeviceProcessEvents
| where ActionType == 'ProcessCreated' and (InitiatingProcessCommandLine has 'dir' and InitiatingProcessCommandLine has 'findstr')
| extend SearchedProcess = extract('findstr ["](.+?)["]', 1, InitiatingProcessCommandLine)
| project DeviceName, InitiatingProcessCommandLine, SearchedProcess | Incorrect | 4 | 44.45s | 0.2099 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0457 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0581 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0101 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0013 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0635 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0951 |
| grok-3-mini-beta | lsass | DeviceProcessEvents
| where ProcessCommandLine contains '| findstr'
| extend searchedFor = extract(@'findstr "(.*?)"', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, searchedFor
| order by TimeGenerated desc | Correct | 1 | 15.30s | 0.0017 |
| o1-high | lsass | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any ("tasklist", "net", "wmic", "dir", "sc")
| where ProcessCommandLine has_any ("| find", "| findstr")
| extend AttackerSearch = extract(@'\|(?:\s*)find(?:str)?\s+(?:"([^"]+)"|(\S+))', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, AttackerSearch
| order by TimeGenerated desc | Correct | 1 | 41.22s | 0.1809 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8842 |
| o3-mini-high | lsass | DeviceProcessEvents
| where InitiatingProcessCommandLine has "tasklist" and InitiatingProcessCommandLine has "|"
| where InitiatingProcessCommandLine has_any ("find", "findstr")
| extend SearchedProcess = extract(@"(?i)\|\s*(?:findstr|find)\s+(?:/i\s+)?([^\s]+)", 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, SearchedProcess
// Timerange will be set in function call. | Correct | 1 | 12.84s | 0.0099 |
| o3-mini-low | cmd.exe | DeviceProcessEvents
| where isnotempty(InitiatingProcessCommandLine)
| where InitiatingProcessCommandLine contains "dir" and (InitiatingProcessCommandLine contains "| find " or InitiatingProcessCommandLine contains "| findstr ")
| extend SearchedProcess = extract('(?i)\\|\\s*(?:findstr|find)\\s+"([^"]+)"', 1, InitiatingProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine = InitiatingProcessCommandLine, SearchedProcess
| order by TimeGenerated desc | Incorrect | 5 | 126.47s | 0.0583 |
| o4-mini-high | lsass | DeviceProcessEvents
// Look for any command line containing a pipe
| where ProcessCommandLine contains "|"
// Ensure a built-in listing tool is used before the pipe
| where ProcessCommandLine matches regex "(?i)\\b(?:dir|ls|Get-ChildItem|tasklist|wmic)\\b\\s*\\|"
// Ensure a string filter is called after the pipe
| where ProcessCommandLine matches regex "(?i)\\|\\s*(?:findstr|grep)\\b"
// Extract the term passed to findstr or grep (first non-quoted token)
| extend SearchedTerm = extract("(?i)(?:findstr|grep)\\s+['\\\"]?([^'\\\"]+)", 1, ProcessCommandLine)
| where isnotempty(SearchedTerm)
// Summarize by the searched term, showing count and example devices/accounts
| summarize EventCount = count(), AffectedDevices = make_set(DeviceName, 10), AffectedUsers = make_set(InitiatingProcessAccountName, 10) by SearchedTerm
| project SearchedTerm, EventCount, AffectedDevices, AffectedUsers
| order by EventCount desc | Correct | 2 | 76.77s | 0.0275 |
| o4-mini-low | lsass | DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Identify invocations of built-in listing tools piped into findstr
| where ProcessCommandLine has "|" and ProcessCommandLine has "findstr"
| where ProcessCommandLine has_any ("dir","tasklist")
// Extract the search term passed to findstr
| extend SearchTerm = extract(@"findstr\s+""?([^""\s]+)""?", 1, ProcessCommandLine)
| where isnotempty(SearchTerm)
// Select relevant details and count occurrences
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, SearchTerm, ProcessCommandLine
| summarize Occurrences = count() by SearchTerm
| sort by Occurrences desc | Correct | 3 | 110.85s | 0.0379 |