Question Analysis
On a Windows endpoint, wscript.exe was used to run a JScript. Identify the exact script path passed to wscript.
0709945e-4fec-4c49-9faf-c3c292a74484
Question ID
14/23
Models Correct
1
Valid Answer
61%
Success Rate
Reference Answer
Human-validated correct answer for this question
PathToAtomicsFolder\T1059.007\src\sys_info.js
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName =~ "wscript.exe"
| project Timestamp, DeviceName, ProcessCommandLine | Correct | 1 | 5.54s | 0.0022 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0108 |
| gpt-4-turbo-2024-04-09 | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName == 'wscript.exe' and ProcessCommandLine has ".js"
| project DeviceName, ProcessCommandLine, TimeGenerated
| distinct DeviceName, ProcessCommandLine, TimeGenerated | Correct | 1 | 11.76s | 0.0508 |
| gpt-4.1 | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where tolower(FileName) == "wscript.exe"
| where ProcessCommandLine has_any (".js", ".jse")
| extend PathRegex = @'("[^"]+\.js[e]?"|\S+\.js[e]?)'
| extend ScriptPath = extract(PathRegex, 0, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptPath
| where isnotempty(ScriptPath) | Correct | 3 | 15.63s | 0.0263 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0440 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0086 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0589 |
| gpt-5-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2867 |
| gpt-5-mini-high | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | // Find wscript.exe usages and extract the script path argument (js/jse/wsf/vbs)
// Look in multiple tables because commandline can appear in different fields
(
DeviceProcessEvents
| extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, "")
| where tolower(FileName) == "wscript.exe" or (isnotempty(CmdLine) and tolower(CmdLine) contains "wscript")
| extend ScriptPath = trim('"', tostring(extract(@"(?i)""?([^""\s]+?\.(?:js|jse|wsf|vbs))""?", 1, CmdLine)))
| project Source = "DeviceProcessEvents", TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, CmdLine, ScriptPath
)
| union
(
DeviceEvents
| extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine), "")
| where tolower(FileName) == "wscript.exe" or (isnotempty(CmdLine) and tolower(CmdLine) contains "wscript") or tolower(InitiatingProcessFileName) == "wscript.exe"
| extend ScriptPath = trim('"', tostring(extract(@"(?i)""?([^""\s]+?\.(?:js|jse|wsf|vbs))""?", 1, CmdLine)))
| project Source = "DeviceEvents", TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, CmdLine, ScriptPath
)
| union
(
DeviceFileEvents
| extend CmdLine = coalesce(InitiatingProcessCommandLine, tostring(AdditionalFields.CommandLine), "")
| where tolower(FileName) == "wscript.exe" or (isnotempty(CmdLine) and tolower(CmdLine) contains "wscript") or tolower(InitiatingProcessFileName) == "wscript.exe"
| extend ScriptPath = trim('"', tostring(extract(@"(?i)""?([^""\s]+?\.(?:js|jse|wsf|vbs))""?", 1, CmdLine)))
| project Source = "DeviceFileEvents", TimeGenerated, DeviceName, FileName, ProcessId = InitiatingProcessId, ProcessCreationTime = InitiatingProcessCreationTime, CmdLine, ScriptPath
)
| where isnotempty(ScriptPath)
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), ExampleCmd = any(CmdLine), AnyProcessId = any(ProcessId) by DeviceName, ScriptPath, Source, FileName
| order by FirstSeen desc
| Correct | 4 | 56.16s | 0.0165 |
| gpt-5-mini-low | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "wscript"
// Narrow to likely script extensions used by JScript / Windows Script Host
| where ProcessCommandLine has_any (".js", ".jse", ".wsf")
| extend Cmd = tostring(ProcessCommandLine)
// Split into arguments, trim quotes and find tokens that look like script files
| extend Args = split(Cmd, ' ')
| mv-expand Arg = Args to typeof(string)
| extend ArgTrim = trim('"', Arg)
| where ArgTrim endswith_cs '.js' or ArgTrim endswith_cs '.jse' or ArgTrim endswith_cs '.wsf'
// Aggregate per process to get a single representative script path and timestamps
| summarize ScriptPath = any(ArgTrim), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Hits = count() by DeviceName, DeviceId, ProcessId, InitiatingProcessFileName, ProcessCommandLine
| order by LastSeen desc
| project FirstSeen, LastSeen, DeviceName, DeviceId, ProcessId, InitiatingProcessFileName, ScriptPath, ProcessCommandLine, Hits
| take 100 | Correct | 4 | 64.56s | 0.0159 |
| gpt-5-mini-medium | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine contains_cs "wscript" or tolower(FileName) == "wscript.exe"
| extend RawCmd = tostring(ProcessCommandLine)
// try double-quoted script path e.g. "C:\path\script.js"
| extend ScriptQuotedDouble = extract(@'"([^"]+\.(?:js|jse|wsf|vbs))"', 1, RawCmd)
// try single-quoted script path e.g. 'C:\path\script.js'
| extend ScriptQuotedSingle = extract(@"'([^']+\.(?:js|jse|wsf|vbs))'", 1, RawCmd)
// try unquoted absolute path e.g. C:\path\script.js or \\host\share\script.js
| extend ScriptUnquoted = extract(@"((?:[A-Za-z]:\\|\\\\)[^\s'\x22;|&]+\.(?:js|jse|wsf|vbs))", 1, RawCmd)
| extend ScriptPath = coalesce(ScriptQuotedDouble, ScriptQuotedSingle, ScriptUnquoted)
| where isnotempty(ScriptPath)
| project TimeGenerated, DeviceName, ProcessId, FileName, InitiatingProcessFileName, InitiatingProcessId, RawCmd, ScriptPath
| distinct TimeGenerated, DeviceName, ProcessId, FileName, InitiatingProcessFileName, InitiatingProcessId, RawCmd, ScriptPath
| order by TimeGenerated desc
| take 100 | Correct | 2 | 32.94s | 0.0082 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0102 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0082 |
| grok-3-beta | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName == 'wscript.exe'
| where ProcessCommandLine has '.js' or ProcessCommandLine has '.jse'
| extend ScriptPath = extract('(?:[^"]\\S+\\.js[e]?|[^"\\s]+\\.js[e]?)', 0, ProcessCommandLine)
| project DeviceName, Timestamp, ProcessCommandLine, ScriptPath
| order by Timestamp desc | Correct | 1 | 11.38s | 0.0211 |
| grok-3-mini-beta | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js"
| extend scriptPath = extract(@"wscript\.exe\s+([^\s]+)", 1, ProcessCommandLine, typeof(string))
| project Timestamp, DeviceName, ProcessCommandLine, scriptPath
| order by Timestamp desc | Correct | 2 | 23.51s | 0.0030 |
| o1-high | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName =~ "wscript.exe"
| where ProcessCommandLine has ".js"
| extend ScriptPath = extract("(\"[^\"]+\\.js\"|\\S+\\.js)", 1, ProcessCommandLine)
| extend ScriptPath = trim("'", trim("\"", ScriptPath))
| project TimeGenerated, DeviceName, ScriptPath, ProcessCommandLine, AccountName, AccountDomain | Correct | 3 | 96.92s | 0.6185 |
| o1-low | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js" or ProcessCommandLine contains "JScript"
| extend ScriptPath = extract(@'wscript\.exe\s+("[^"]+"|\S+)', 1, ProcessCommandLine)
| project DeviceName,
TimeGenerated,
ScriptPath,
ProcessCommandLine,
InitiatingProcessAccountName,
AccountName
| order by TimeGenerated desc | Correct | 5 | 126.68s | 0.9837 |
| o3-high | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where ActionType == "ProcessCreated" // process start events only
| where FileName =~ "wscript.exe" // the process is wscript.exe (case-insensitive)
| where ProcessCommandLine has_any (".js", ".jse") // command line mentions a JScript file
// Extract the first argument that looks like C:\path\file.js(e) or \\server\share\file.js(e)
| extend ScriptPath = tostring(extract(@"(?i)(?:^|[""'\s])((?:[A-Za-z]:|\\\\)[^""'\s]+\.js(?:e)?)", 1, ProcessCommandLine))
| where isnotempty(ScriptPath)
| project TimeGenerated,
DeviceName,
AccountDomain,
AccountName,
ScriptPath,
ProcessCommandLine,
FolderPath,
SHA256,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 5 | 167.73s | 0.0923 |
| o3-mini-high | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName =~ "wscript.exe"
| where ProcessCommandLine contains ".js"
| extend ScriptPath = extract(@'([A-Za-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]+\.js)', 1, ProcessCommandLine)
| where isnotempty(ScriptPath)
| project TimeGenerated, DeviceName, ScriptPath, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 37.20s | 0.0080 |
| o3-mini-low | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName has_cs "wscript.exe"
| where ProcessCommandLine has_cs ".js"
| extend ScriptPath = extract(@"wscript\.exe\s+([^\s]+\.js)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, ScriptPath, ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 43.90s | 0.0175 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0359 |
| o4-mini-low | C:\AtomicRedTeam\atomics\T1059.007\src\sys_info.js | DeviceProcessEvents
| where FileName == "wscript.exe"
| where ProcessCommandLine has ".js"
| extend ScriptPath = extract(@"([A-Za-z]:\\[^ \r\n]+?\.js)", 1, ProcessCommandLine)
| where isnotempty(ScriptPath)
| project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, ProcessCommandLine, ScriptPath
| order by TimeGenerated desc | Correct | 3 | 92.33s | 0.0298 |