Question Analysis
On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command?
a50d5a97-2531-499e-a1de-5544c74432c6
Question ID
11/16
Models Correct
1
Valid Answer
69%
Success Rate
Reference Answer
Human-validated correct answer for this question
powershell.exe
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0159 |
| gpt-35-turbo | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine contains 'powershell' and ProcessCommandLine contains ' -encodedcommand'
| project InitiatingProcessFileName | Correct | 1 | 2.97s | 0.0023 |
| gpt-4-turbo-2024-04-09 | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine has_any ('-EncodedCommand', 'eN') and InitiatingProcessFileName =~ 'powershell.exe'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessId
| distinct TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId, InitiatingProcessId | Correct | 1 | 10.50s | 0.0532 |
| gpt-4.1 | powershell.exe | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("-enc ", "-encodedcommand ")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain
| order by TimeGenerated desc | Correct | 1 | 5.75s | 0.0113 |
| gpt-4.1-finetuned | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine matches regex ".* -e.*([A-Za-z0-9+/=]){10,}.*"
| summarize count() by InitiatingProcessFileName, bin(Timestamp, 5m)
| sort by count_ desc | Correct | 2 | 13.26s | 0.0065 |
| gpt-4.1-mini | powershell.exe | DeviceProcessEvents
| where FileName == "powershell.exe" or FileName == "pwsh.exe"
| where ProcessCommandLine has "-EncodedCommand" or ProcessCommandLine has "-e "
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 4.14s | 0.0023 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0526 |
| grok-3-beta | powershell.exe | DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine contains "encodedcommand" or ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}"
| summarize Count = count() by InitiatingProcessFileName, DeviceName
| order by Count desc | Correct | 1 | 10.53s | 0.0205 |
| grok-3-mini-beta | powershell.exe | DeviceProcessEvents
| where FileName startswith 'powershell'
| where ProcessCommandLine contains '-EncodedCommand'
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName | Correct | 1 | 15.20s | 0.0016 |
| o1-high | powershell.exe | DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("-enc ", "-EncodedCommand")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 23.01s | 0.1918 |
| o1-low | powershell.exe | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell_ise.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-encodedCommand")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | Correct | 1 | 25.49s | 0.2137 |
| o3-mini-high | dash | DeviceProcessEvents
| where tolower(InitiatingProcessCommandLine) contains "-encodedcommand" or tolower(InitiatingProcessCommandLine) contains "-enc"
| summarize Count = count() by InitiatingProcessFileName
| order by Count desc | Incorrect | 1 | 14.57s | 0.0105 |
| o3-mini-low | powershell.exe | DeviceProcessEvents
| where ProcessCommandLine contains "-EncodedCommand"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend ParentExecutable = coalesce(InitiatingProcessFileName, "N/A")
| order by TimeGenerated desc | Correct | 1 | 32.82s | 0.0110 |
| o4-mini-high | powershell.exe | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
// Match –EncodedCommand or –enc followed by a Base64‐style string
| where tolower(ProcessCommandLine) matches regex @"-enc(odedcommand)?\s+[A-Za-z0-9+/=]{20,}"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 25.97s | 0.0084 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0313 |