// question

On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked.

Reference KQL answer and model-by-model comparison.

afe369c2-b42e-447f-98a3-fb1f4e2b8552
question id
8/23
models correct
1
valid answer
35%
success rate
// reference answer

Human-validated correct answer for this question.

WinPwn.ps1
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
WinPwn.ps1
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains ".ps1"
| project Timestamp, DeviceName, ProcessCommandLine
pass125.32s0.0142
gpt-35-turbo
cscript.exe
DeviceProcessEvents
| where FileName contains 'script'
| project FileName, ProcessId, DeviceName, TimeGenerated
fail35.05s0.0067
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2549
gpt-4.1
WinPwn.ps1
DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' or FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe')
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'curl', 'wget', 'iwr', '-EncodedCommand', 'Start-BitsTransfer', '.ps1', 'http', 'https')
      or FileName endswith '.ps1'
| extend DownloadedScriptFile = extract(@'([\w\d-_]+\.ps1)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, DownloadedScriptFile
| order by TimeGenerated desc
pass211.27s0.0393
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0577
gpt-4.1-mini
WinPwn.ps1
DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "wget", ".ps1")
| project DeviceName, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine
| order by ProcessCreationTime desc
pass17.03s0.0040
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0013
gpt-4o
no answer
no query generatedfail50.00s0.0529
gpt-5-high
no answer
no query generatedfail50.00s0.3132
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0260
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0192
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0198
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0117
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0130
grok-3-beta
WinPwn.ps1
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains '.ps1'
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath
| join kind=leftouter (
    DeviceFileEvents
    | where ActionType == 'FileCreated' or ActionType == 'FileDownloaded'
    | where FileName endswith '.ps1'
    | project FileTimestamp=Timestamp, FileName, FileOriginUrl, FolderPath
) on FileName
| where isnull(FileTimestamp) or (FileTimestamp >= Timestamp - 1h and FileTimestamp <= Timestamp + 1h)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FileOriginUrl, FolderPath
| order by Timestamp desc
pass223.95s0.0567
grok-3-mini-beta
WinPwn.ps1
DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains '.ps1' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'bitsadmin'
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass113.50s0.0030
o1-high
08cabb5a-a9a4-4758-9e93-28d5bdfa77ef.ps1
union DeviceFileEvents, DeviceProcessEvents
| where ActionType in ("FileCreated", "FileDownloaded", "CreateProcess")
| where InitiatingProcessFileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// Look for .ps1 script references
| where FileName endswith ".ps1" or ProcessCommandLine has ".ps1" or FileOriginUrl has ".ps1"
| project TimeGenerated,
          DeviceName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          FileName,
          FolderPath,
          FileOriginUrl,
          ProcessCommandLine,
          ActionType,
          Type
| order by TimeGenerated desc
fail4176.70s1.1632
o1-low
WinPwn.ps1
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "IEX")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine
| order by TimeGenerated desc
pass145.40s0.3244
o3-high
no answer
no query generatedfail50.00s0.1102
o3-mini-high
WinPwn.ps1
DeviceProcessEvents
| where FileName contains "powershell.exe" and ProcessCommandLine contains ".ps1"
| extend FetchedScript = tostring(extract(@"\b(\S+\.ps1)\b", 1, ProcessCommandLine))
| where isnotempty(FetchedScript)
| project TimeGenerated, DeviceName, FileName, FetchedScript, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass347.36s0.0383
o3-mini-low
WinPwn.ps1
DeviceProcessEvents
| where ProcessCommandLine has "PowerShell" and ProcessCommandLine contains ".ps1"
| extend ScriptName = extract(@'[\\/]+([^\\/\s]+\.ps1)', 1, ProcessCommandLine)
| where isnotempty(ScriptName)
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName, InitiatingProcessFileName, FolderPath
| order by TimeGenerated desc
| take 100
pass115.57s0.0173
o4-mini-high
no answer
no query generatedfail50.00s0.0550
o4-mini-low
no answer
no query generatedfail50.00s0.0476