Question Analysis

On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked.

afe369c2-b42e-447f-98a3-fb1f4e2b8552
Question ID
8/16
Models Correct
1
Valid Answer
50%
Success Rate
Reference Answer

Human-validated correct answer for this question

WinPwn.ps1
Model Performance Comparison

See how different AI models performed on this question

ModelAnswerKQL QueryStatusAttemptsTimeCost
gemini-2.5-flash-preview-04-17
WinPwn.ps1
DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine contains ".ps1" | project Timestamp, DeviceName, ProcessCommandLine
Correct
1
25.32s
0.0142
gpt-35-turbo
cscript.exe
DeviceProcessEvents | where FileName contains 'script' | project FileName, ProcessId, DeviceName, TimeGenerated
Incorrect
3
5.05s
0.0067
gpt-4-turbo-2024-04-09
No answer provided
No query generated
Incorrect
5
0.00s
0.2549
gpt-4.1
WinPwn.ps1
DeviceProcessEvents | where (InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' or FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe') | where ProcessCommandLine has_any ('Invoke-WebRequest', 'curl', 'wget', 'iwr', '-EncodedCommand', 'Start-BitsTransfer', '.ps1', 'http', 'https') or FileName endswith '.ps1' | extend DownloadedScriptFile = extract(@'([\w\d-_]+\.ps1)', 1, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, DownloadedScriptFile | order by TimeGenerated desc
Correct
2
11.27s
0.0393
gpt-4.1-finetuned
No answer provided
No query generated
Incorrect
5
0.00s
0.0577
gpt-4.1-mini
WinPwn.ps1
DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" | where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "wget", ".ps1") | project DeviceName, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine | order by ProcessCreationTime desc
Correct
1
7.03s
0.0040
gpt-4.1-nano
No answer provided
No query generated
Incorrect
5
0.00s
0.0013
gpt-4o
No answer provided
No query generated
Incorrect
5
0.00s
0.0529
grok-3-beta
WinPwn.ps1
DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' | where ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains '.ps1' | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath | join kind=leftouter ( DeviceFileEvents | where ActionType == 'FileCreated' or ActionType == 'FileDownloaded' | where FileName endswith '.ps1' | project FileTimestamp=Timestamp, FileName, FileOriginUrl, FolderPath ) on FileName | where isnull(FileTimestamp) or (FileTimestamp >= Timestamp - 1h and FileTimestamp <= Timestamp + 1h) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FileOriginUrl, FolderPath | order by Timestamp desc
Correct
2
23.95s
0.0567
grok-3-mini-beta
WinPwn.ps1
DeviceProcessEvents | where FileName =~ 'powershell.exe' | where ProcessCommandLine contains '.ps1' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'bitsadmin' | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc
Correct
1
13.50s
0.0030
o1-high
08cabb5a-a9a4-4758-9e93-28d5bdfa77ef.ps1
union DeviceFileEvents, DeviceProcessEvents | where ActionType in ("FileCreated", "FileDownloaded", "CreateProcess") | where InitiatingProcessFileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // Look for .ps1 script references | where FileName endswith ".ps1" or ProcessCommandLine has ".ps1" or FileOriginUrl has ".ps1" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, FileOriginUrl, ProcessCommandLine, ActionType, Type | order by TimeGenerated desc
Incorrect
4
176.70s
1.1632
o1-low
WinPwn.ps1
DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "IEX") | project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine | order by TimeGenerated desc
Correct
1
45.40s
0.3244
o3-mini-high
WinPwn.ps1
DeviceProcessEvents | where FileName contains "powershell.exe" and ProcessCommandLine contains ".ps1" | extend FetchedScript = tostring(extract(@"\b(\S+\.ps1)\b", 1, ProcessCommandLine)) | where isnotempty(FetchedScript) | project TimeGenerated, DeviceName, FileName, FetchedScript, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc
Correct
3
47.36s
0.0383
o3-mini-low
WinPwn.ps1
DeviceProcessEvents | where ProcessCommandLine has "PowerShell" and ProcessCommandLine contains ".ps1" | extend ScriptName = extract(@'[\\/]+([^\\/\s]+\.ps1)', 1, ProcessCommandLine) | where isnotempty(ScriptName) | project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName, InitiatingProcessFileName, FolderPath | order by TimeGenerated desc | take 100
Correct
1
15.57s
0.0173
o4-mini-high
No answer provided
No query generated
Incorrect
5
0.00s
0.0550
o4-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0476