// question
On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked.
Reference KQL answer and model-by-model comparison.
afe369c2-b42e-447f-98a3-fb1f4e2b8552
question id
8/23
models correct
1
valid answer
35%
success rate
// reference answer
Human-validated correct answer for this question.
WinPwn.ps1
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | WinPwn.ps1 | DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine contains ".ps1" | project Timestamp, DeviceName, ProcessCommandLine | pass | 1 | 25.32s | 0.0142 |
| gpt-35-turbo | cscript.exe | DeviceProcessEvents | where FileName contains 'script' | project FileName, ProcessId, DeviceName, TimeGenerated | fail | 3 | 5.05s | 0.0067 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2549 |
| gpt-4.1 | WinPwn.ps1 | DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or InitiatingProcessFileName =~ 'pwsh.exe' or FileName =~ 'powershell.exe' or FileName =~ 'pwsh.exe')
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'curl', 'wget', 'iwr', '-EncodedCommand', 'Start-BitsTransfer', '.ps1', 'http', 'https')
or FileName endswith '.ps1'
| extend DownloadedScriptFile = extract(@'([\w\d-_]+\.ps1)', 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, DownloadedScriptFile
| order by TimeGenerated desc | pass | 2 | 11.27s | 0.0393 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0577 |
| gpt-4.1-mini | WinPwn.ps1 | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "wget", ".ps1")
| project DeviceName, ProcessCreationTime, ProcessId, FileName, ProcessCommandLine
| order by ProcessCreationTime desc | pass | 1 | 7.03s | 0.0040 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0013 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0529 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.3132 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0260 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0192 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0198 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0117 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0130 |
| grok-3-beta | WinPwn.ps1 | DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'IEX' or ProcessCommandLine contains '.ps1'
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath
| join kind=leftouter (
DeviceFileEvents
| where ActionType == 'FileCreated' or ActionType == 'FileDownloaded'
| where FileName endswith '.ps1'
| project FileTimestamp=Timestamp, FileName, FileOriginUrl, FolderPath
) on FileName
| where isnull(FileTimestamp) or (FileTimestamp >= Timestamp - 1h and FileTimestamp <= Timestamp + 1h)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FileOriginUrl, FolderPath
| order by Timestamp desc | pass | 2 | 23.95s | 0.0567 |
| grok-3-mini-beta | WinPwn.ps1 | DeviceProcessEvents | where FileName =~ 'powershell.exe' | where ProcessCommandLine contains '.ps1' or ProcessCommandLine contains 'Invoke-WebRequest' or ProcessCommandLine contains 'bitsadmin' | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 13.50s | 0.0030 |
| o1-high | 08cabb5a-a9a4-4758-9e93-28d5bdfa77ef.ps1 | union DeviceFileEvents, DeviceProcessEvents
| where ActionType in ("FileCreated", "FileDownloaded", "CreateProcess")
| where InitiatingProcessFileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// Look for .ps1 script references
| where FileName endswith ".ps1" or ProcessCommandLine has ".ps1" or FileOriginUrl has ".ps1"
| project TimeGenerated,
DeviceName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
FolderPath,
FileOriginUrl,
ProcessCommandLine,
ActionType,
Type
| order by TimeGenerated desc | fail | 4 | 176.70s | 1.1632 |
| o1-low | WinPwn.ps1 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Net.WebClient", "DownloadFile", "Invoke-WebRequest", "IEX")
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ProcessCommandLine
| order by TimeGenerated desc | pass | 1 | 45.40s | 0.3244 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.1102 |
| o3-mini-high | WinPwn.ps1 | DeviceProcessEvents | where FileName contains "powershell.exe" and ProcessCommandLine contains ".ps1" | extend FetchedScript = tostring(extract(@"\b(\S+\.ps1)\b", 1, ProcessCommandLine)) | where isnotempty(FetchedScript) | project TimeGenerated, DeviceName, FileName, FetchedScript, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 3 | 47.36s | 0.0383 |
| o3-mini-low | WinPwn.ps1 | DeviceProcessEvents | where ProcessCommandLine has "PowerShell" and ProcessCommandLine contains ".ps1" | extend ScriptName = extract(@'[\\/]+([^\\/\s]+\.ps1)', 1, ProcessCommandLine) | where isnotempty(ScriptName) | project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName, InitiatingProcessFileName, FolderPath | order by TimeGenerated desc | take 100 | pass | 1 | 15.57s | 0.0173 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0550 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0476 |