Question Analysis
On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked.
afe369c2-b42e-447f-98a3-fb1f4e2b8552
Question ID
8/16
Models Correct
1
Valid Answer
50%
Success Rate
Reference Answer
Human-validated correct answer for this question
WinPwn.ps1
Model Performance Comparison
See how different AI models performed on this question
Model | Answer | KQL Query | Status | Attempts | Time | Cost |
---|---|---|---|---|---|---|
gemini-2.5-flash-preview-04-17 | WinPwn.ps1 | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains ".ps1"
| project Timestamp, DeviceName, ProcessCommandLine | Correct | 1 | 25.32s | 0.0142 |
gpt-35-turbo | cscript.exe | DeviceProcessEvents
| where FileName contains 'script'
| project FileName, ProcessId, DeviceName, TimeGenerated | Incorrect | 3 | 5.05s | 0.0067 |
gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2549 |
gpt-4.1 | WinPwn.ps1 | DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' or FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe')
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'curl', 'wget', 'iwr', '-EncodedCommand', 'Start-BitsTransfer', '.ps1', 'http', 'https')
or FileName endswith '.ps1'
| extend DownloadedScriptFile = extract(@'([\w\d-_]+\.ps1)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, DownloadedScriptFile
| order by TimeGenerated desc | Correct | 2 | 11.27s | 0.0393 |
gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0577 |
gpt-4.1-mini | WinPwn.ps1 | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "wget", ".ps1")
| project DeviceName, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine
| order by ProcessCreationTime desc | Correct | 1 | 7.03s | 0.0040 |
gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0013 |
gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0529 |
grok-3-beta | WinPwn.ps1 | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains '.ps1'
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath
| join kind=leftouter (
DeviceFileEvents
| where ActionType == 'FileCreated' or ActionType == 'FileDownloaded'
| where FileName endswith '.ps1'
| project FileTimestamp=Timestamp, FileName, FileOriginUrl, FolderPath
) on FileName
| where isnull(FileTimestamp) or (FileTimestamp >= Timestamp - 1h and FileTimestamp <= Timestamp + 1h)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FileOriginUrl, FolderPath
| order by Timestamp desc | Correct | 2 | 23.95s | 0.0567 |
grok-3-mini-beta | WinPwn.ps1 | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains '.ps1' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'bitsadmin'
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 13.50s | 0.0030 |
o1-high | 08cabb5a-a9a4-4758-9e93-28d5bdfa77ef.ps1 | union DeviceFileEvents, DeviceProcessEvents
| where ActionType in ("FileCreated", "FileDownloaded", "CreateProcess")
| where InitiatingProcessFileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// Look for .ps1 script references
| where FileName endswith ".ps1" or ProcessCommandLine has ".ps1" or FileOriginUrl has ".ps1"
| project TimeGenerated,
DeviceName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
FolderPath,
FileOriginUrl,
ProcessCommandLine,
ActionType,
Type
| order by TimeGenerated desc | Incorrect | 4 | 176.70s | 1.1632 |
o1-low | WinPwn.ps1 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "IEX")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 45.40s | 0.3244 |
o3-mini-high | WinPwn.ps1 | DeviceProcessEvents
| where FileName contains "powershell.exe" and ProcessCommandLine contains ".ps1"
| extend FetchedScript = tostring(extract(@"\b(\S+\.ps1)\b", 1, ProcessCommandLine))
| where isnotempty(FetchedScript)
| project TimeGenerated, DeviceName, FileName, FetchedScript, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 47.36s | 0.0383 |
o3-mini-low | WinPwn.ps1 | DeviceProcessEvents
| where ProcessCommandLine has "PowerShell" and ProcessCommandLine contains ".ps1"
| extend ScriptName = extract(@'[\\/]+([^\\/\s]+\.ps1)', 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName, InitiatingProcessFileName, FolderPath
| order by TimeGenerated desc
| take 100 | Correct | 1 | 15.57s | 0.0173 |
o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0550 |
o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0476 |