// question

On a Windows system, an attacker used the command prompt to remove one or more default administrative shares. Which share names were deleted?

Reference KQL answer and model-by-model comparison.

4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
question id
10/23
models correct
3
valid answers
43%
success rate
// reference answers

Human-validated correct answers for this question.

C$IPC$ADMIN$
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
C$, IPC$, ADMIN$
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine contains "net share" and ProcessCommandLine contains "/delete"
| extend ShareNameDeleted = extract(@'net share ([^\s]+) /delete', 1, ProcessCommandLine)
| where isnotempty(ShareNameDeleted)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, ShareNameDeleted, AccountName
pass112.53s0.0058
gpt-35-turbo
no answer
no query generatedfail50.00s0.0107
gpt-4-turbo-2024-04-09
C$ IPC$ ADMIN$
DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and (ProcessCommandLine contains '/delete' or ProcessCommandLine contains ' /d')
| project DeviceName, ProcessCommandLine, TimeGenerated
pass19.04s0.0507
gpt-4.1
no answer
no query generatedfail50.00s0.0510
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0515
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0079
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0016
gpt-4o
no answer
no query generatedfail50.00s0.0513
gpt-5-high
ADMIN$,IPC$,C$
let defaultAdminShares = dynamic(["ADMIN$","IPC$","C$","D$","E$","F$","G$","H$","I$","J$","K$","L$","M$","N$","O$","P$","Q$","R$","S$","T$","U$","V$","W$","X$","Y$","Z$"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("net.exe","net1.exe")
| where InitiatingProcessFileName =~ "cmd.exe"  // ensured run from Command Prompt
| extend cmd = tostring(ProcessCommandLine)
| where cmd matches regex @"(?i)\bnet(\.exe)?\s+share\b" and cmd matches regex @"(?i)\s/(?:delete|del)\b"
| extend ShareName = toupper(extract(@"(?i)\bshare\s+['\""]?([A-Za-z0-9_\-]+[$])['\""]?", 1, cmd))
| where ShareName in (defaultAdminShares)
| distinct ShareName
pass177.84s0.0428
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0234
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0209
gpt-5-mini-medium
C$,ADMIN$,IPC$
// Find deletions of administrative shares (e.g., C$, ADMIN$, IPC$) performed via cmd.exe/net.exe/reg.exe
union isfuzzy=true DeviceEvents, DeviceProcessEvents
| where (ProcessCommandLine has_cs "net share" or ProcessCommandLine has_cs "net share" or InitiatingProcessCommandLine has_cs "net share"
        or ProcessCommandLine has_cs "net.exe" or InitiatingProcessCommandLine has_cs "net.exe"
        or ProcessCommandLine has_cs "reg delete" or InitiatingProcessCommandLine has_cs "reg delete"
        or ProcessCommandLine has_cs "sc delete" or InitiatingProcessCommandLine has_cs "sc delete")
  and (FileName has_cs "cmd.exe" or FileName has_cs "net.exe" or FileName has_cs "reg.exe" or FileName has_cs "sc.exe"
       or InitiatingProcessFileName has_cs "cmd.exe" or InitiatingProcessFileName has_cs "net.exe" or InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessFileName has_cs "sc.exe")
| extend cmdline = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend share = extract(@"(?:net\s+share\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline))
| extend share_reg = extract(@"(?:\\\?\\)?HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\\.*?" , 0, tostring(RegistryKey))
| extend share2 = iff(isnotempty(share), share, extract(@"(?:/delete\s+|delete\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline)))
| extend share3 = iff(isnotempty(share2), share2, extract(@"([A-Za-z]:\$|[A-Za-z0-9_]+\$)", 1, tostring(cmdline)))
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, cmdline, share = share3
| where isnotempty(share)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count() by DeviceName, share
| order by LastSeen desc
pass117.15s0.0043
gpt-5-nano-high
ADMIN$,IPC$
let AllDeletedShares = union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated >= ago(30d)
| extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| where CmdLine contains "net share"
| extend ShareName = tostring(extract(@"net\s+share\s+([^\\s/]+)", 1, CmdLine))
| where isnotempty(ShareName)
| summarize DeletedShareNames = makeset(ShareName);
AllDeletedShares
pass278.33s0.0049
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0073
grok-3-beta
no answer
no query generatedfail50.00s0.0925
grok-3-mini-beta
C$, IPC$, ADMIN$
DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and ProcessCommandLine contains '/delete'
| extend ShareName = extract(@'net share (\S+)', 1, ProcessCommandLine)  // Extracts the share name after 'net share'
| where isnotempty(ShareName)  // Ensures only valid extractions are kept
| project Timestamp, DeviceName, ShareName, ProcessCommandLine  // Projects key fields for review
pass120.29s0.0016
o1-high
no answer
no query generatedfail50.00s1.0645
o1-low
C$,IPC$,ADMIN$
DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("net", "share", "/delete")
| parse kind=regex ProcessCommandLine with @"net share " ShareName @" /delete" *
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ShareName, ProcessCommandLine
pass135.22s0.2235
o3-high
admin$,ipc$,c$
// Administrative shares deleted from the endpoint
DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())   // << replace/override with your time-picker
| where FileName in~ ("net.exe", "wmic.exe", "powershell.exe")
// Normalise the command line for easier string matching
| extend cmd = tolower(ProcessCommandLine)
// Keep only executions that look like a share-deletion command
| where (FileName =~ "net.exe"       and cmd contains " share " and cmd contains "/delete")
       or (FileName =~ "wmic.exe"      and cmd contains " share " and cmd contains " delete")
       or (FileName =~ "powershell.exe" and cmd contains "remove-smbshare")
// Extract the name of the share that is being deleted – pattern differs per tool
| extend DeletedShare = case(
        FileName =~ "net.exe",        extract("net\\s+share\\s+([^\\s]+)",             1, cmd),
        FileName =~ "wmic.exe",       extract("name=\"([^\"]+)\"",                  1, cmd),
        FileName =~ "powershell.exe", extract("-name\\s+\"([^\"]+)\"",              1, cmd),
        "")
| where isnotempty(DeletedShare) and DeletedShare endswith "$"   // focus on default admin shares
| project TimeGenerated,
          DeviceName,
          User = iff(isempty(AccountDomain), AccountName, strcat(AccountDomain, "\\", AccountName)),
          FileName,
          ProcessCommandLine,
          DeletedShare
| sort by TimeGenerated desc
pass5162.96s0.0973
o3-mini-high
%i
DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine contains "net share" and InitiatingProcessCommandLine contains "/delete"
| extend shareName = extract("net\\s+share\\s+([^\\s]+)\\s+/delete", 1, InitiatingProcessCommandLine)
| where isnotempty(shareName)
| summarize by shareName
| project shareName
fail221.73s0.0136
o3-mini-low
no answer
no query generatedfail50.00s0.0351
o4-mini-high
C$, IPC$, ADMIN$
// 1) Registry-based share deletions
let RegistryDeletion = DeviceRegistryEvents
| where ActionType == "ValueDeleted"
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares"
| extend ShareName = RegistryValueName
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;

// 2) "net share <ShareName> /delete" command
let NetShareDelete = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bnet\s+share\s+\S+\s+/delete\b"
| extend ShareName = tostring(split(trim(@"/", ProcessCommandLine), ' ')[2])
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;

// 3) PowerShell Remove-SmbShare -Name <ShareName>
let RemoveSmbShare = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bRemove-SmbShare\s+-Name\s+\S+\b"
| extend ShareName = extract(@"Remove-SmbShare\s+-Name\s+(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;

// Combine all and sort descending by time
RegistryDeletion
| union NetShareDelete
| union RemoveSmbShare
| sort by TimeGenerated desc
pass135.57s0.0137
o4-mini-low
ADMIN$, IPC$, C$
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Catch both 32-bit and 64-bit invocations of net.exe
| where FileName in~ ("net.exe", "net1.exe")
// Look for the share deletion syntax
| where tolower(ProcessCommandLine) has "share" and tolower(ProcessCommandLine) has "/delete"
// Extract the share name between "net share" and "/delete"
| extend ShareName = extract(@"(?i)net\s+share\s+([^\s]+)\s+/delete", 1, ProcessCommandLine)
| where isnotempty(ShareName)
// List each deletion or aggregate by share
| summarize DeletionCount = count() by ShareName
| sort by DeletionCount desc
pass267.66s0.0180