Question Analysis
On a Windows endpoint, an attacker ran a PowerShell sequence to establish a WMI event subscription using CommandLineEventConsumer. Inspect the process or script execution logs to uncover which executable was set to run by this subscription.
3c64f177-28e2-49eb-a799-d767b24dd1e0
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
notepad.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0471 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2363 |
| gpt-4.1 | notepad.exe | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_all ("CommandLineEventConsumer") and (ProcessCommandLine has "WMI" or ProcessCommandLine has "__EventFilter" or ProcessCommandLine has "event subscription")
| extend SubscriptionCommand = extract(@'CommandLine="([^"]+)"', 1, ProcessCommandLine)
| extend SubscriptionExecutable = extract(@'([a-zA-Z]:\\[^"\s]+\.exe)', 1, SubscriptionCommand)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, SubscriptionCommand, SubscriptionExecutable
| order by TimeGenerated desc | Correct | 1 | 8.62s | 0.0127 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0544 |
| gpt-4.1-mini | notepad.exe | DeviceProcessEvents
| where ProcessCommandLine contains "Register-WmiEvent" or ProcessCommandLine contains "Register-WmiEventSubscription" or ProcessCommandLine contains "EventFilter" or ProcessCommandLine contains "__EventFilter" or ProcessCommandLine contains "CommandLineEventConsumer"
| extend ExecutorCommand = extract(@"(?i)CommandLineEventConsumer" , 0, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ExecutorCommand
| order by TimeGenerated desc | Correct | 1 | 3.72s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0017 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0478 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1135 |
| grok-3-mini-beta | notepad.exe | DeviceProcessEvents
| where FileName has "powershell.exe" and ProcessCommandLine contains "CommandLineEventConsumer"
| extend Executable = extract("CommandLineTemplate=[\"']([^\"']+)[\"']", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ProcessCommandLine, Executable
| order by TimeGenerated desc | Correct | 3 | 35.67s | 0.0045 |
| o1-high | notepad.exe | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "__EventFilter" or ProcessCommandLine has "__FilterToConsumerBinding"
| parse kind=regex flags=U ProcessCommandLine with @"CommandLineTemplate\s*=\s*'([^']+)'" CommandLineTemplate
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, CommandLineTemplate | Correct | 1 | 41.21s | 0.2311 |
| o1-low | notepad.exe | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_any("Register-WMIEvent","CommandLineEventConsumer","__EventConsumer")
| project TimeGenerated,
DeviceName,
InitiatingProcessAccountName,
FileName,
FolderPath,
ProcessCommandLine | Correct | 1 | 31.21s | 0.2148 |
| o3-mini-high | notepad.exe | union withsource=TableName DeviceProcessEvents, DeviceEvents
| where (InitiatingProcessCommandLine has "PowerShell" or ProcessCommandLine has "PowerShell")
and (InitiatingProcessCommandLine has "CommandLineEventConsumer" or ProcessCommandLine has "CommandLineEventConsumer")
| extend CmdLine = iif(isnotempty(ProcessCommandLine), ProcessCommandLine, InitiatingProcessCommandLine)
| extend ExecutableSet = extract("(?i)([\\w]+\\.exe)", 1, CmdLine)
| project TimeGenerated, DeviceName, TableName, FileName, CmdLine, ExecutableSet
| sort by TimeGenerated desc | Correct | 2 | 25.32s | 0.0183 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0390 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0459 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0467 |