Question Analysis
On a Windows system, an attacker used the command prompt to remove one or more default administrative shares. Which share names were deleted?
4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
Question ID
6/16
Models Correct
3
Valid Answers
38%
Success Rate
Reference Answers
Human-validated correct answers for this question
C$IPC$ADMIN$
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | C$, IPC$, ADMIN$ | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine contains "net share" and ProcessCommandLine contains "/delete"
| extend ShareNameDeleted = extract(@'net share ([^\s]+) /delete', 1, ProcessCommandLine)
| where isnotempty(ShareNameDeleted)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, ShareNameDeleted, AccountName | Correct | 1 | 12.53s | 0.0058 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0107 |
| gpt-4-turbo-2024-04-09 | C$ IPC$ ADMIN$ | DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and (ProcessCommandLine contains '/delete' or ProcessCommandLine contains ' /d')
| project DeviceName, ProcessCommandLine, TimeGenerated | Correct | 1 | 9.04s | 0.0507 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0510 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0515 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0513 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0925 |
| grok-3-mini-beta | C$, IPC$, ADMIN$ | DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and ProcessCommandLine contains '/delete'
| extend ShareName = extract(@'net share (\S+)', 1, ProcessCommandLine) // Extracts the share name after 'net share'
| where isnotempty(ShareName) // Ensures only valid extractions are kept
| project Timestamp, DeviceName, ShareName, ProcessCommandLine // Projects key fields for review | Correct | 1 | 20.29s | 0.0016 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 1.0645 |
| o1-low | C$,IPC$,ADMIN$ | DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("net", "share", "/delete")
| parse kind=regex ProcessCommandLine with @"net share " ShareName @" /delete" *
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ShareName, ProcessCommandLine
| Correct | 1 | 35.22s | 0.2235 |
| o3-mini-high | %i | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine contains "net share" and InitiatingProcessCommandLine contains "/delete"
| extend shareName = extract("net\\s+share\\s+([^\\s]+)\\s+/delete", 1, InitiatingProcessCommandLine)
| where isnotempty(shareName)
| summarize by shareName
| project shareName | Incorrect | 2 | 21.73s | 0.0136 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0351 |
| o4-mini-high | C$, IPC$, ADMIN$ | // 1) Registry-based share deletions
let RegistryDeletion = DeviceRegistryEvents
| where ActionType == "ValueDeleted"
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares"
| extend ShareName = RegistryValueName
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// 2) "net share <ShareName> /delete" command
let NetShareDelete = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bnet\s+share\s+\S+\s+/delete\b"
| extend ShareName = tostring(split(trim(@"/", ProcessCommandLine), ' ')[2])
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// 3) PowerShell Remove-SmbShare -Name <ShareName>
let RemoveSmbShare = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bRemove-SmbShare\s+-Name\s+\S+\b"
| extend ShareName = extract(@"Remove-SmbShare\s+-Name\s+(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// Combine all and sort descending by time
RegistryDeletion
| union NetShareDelete
| union RemoveSmbShare
| sort by TimeGenerated desc | Correct | 1 | 35.57s | 0.0137 |
| o4-mini-low | ADMIN$, IPC$, C$ | DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Catch both 32-bit and 64-bit invocations of net.exe
| where FileName in~ ("net.exe", "net1.exe")
// Look for the share deletion syntax
| where tolower(ProcessCommandLine) has "share" and tolower(ProcessCommandLine) has "/delete"
// Extract the share name between "net share" and "/delete"
| extend ShareName = extract(@"(?i)net\s+share\s+([^\s]+)\s+/delete", 1, ProcessCommandLine)
| where isnotempty(ShareName)
// List each deletion or aggregate by share
| summarize DeletionCount = count() by ShareName
| sort by DeletionCount desc | Correct | 2 | 67.66s | 0.0180 |