Question Analysis
On a Windows system, an attacker used the command prompt to remove one or more default administrative shares. Which share names were deleted?
4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
Question ID
10/23
Models Correct
3
Valid Answers
43%
Success Rate
Reference Answers
Human-validated correct answers for this question
C$IPC$ADMIN$
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | C$, IPC$, ADMIN$ | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "cmd.exe"
| where ProcessCommandLine contains "net share" and ProcessCommandLine contains "/delete"
| extend ShareNameDeleted = extract(@'net share ([^\s]+) /delete', 1, ProcessCommandLine)
| where isnotempty(ShareNameDeleted)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, ShareNameDeleted, AccountName | Correct | 1 | 12.53s | 0.0058 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0107 |
| gpt-4-turbo-2024-04-09 | C$ IPC$ ADMIN$ | DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and (ProcessCommandLine contains '/delete' or ProcessCommandLine contains ' /d')
| project DeviceName, ProcessCommandLine, TimeGenerated | Correct | 1 | 9.04s | 0.0507 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0510 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0515 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0513 |
| gpt-5-high | ADMIN$,IPC$,C$ | let defaultAdminShares = dynamic(["ADMIN$","IPC$","C$","D$","E$","F$","G$","H$","I$","J$","K$","L$","M$","N$","O$","P$","Q$","R$","S$","T$","U$","V$","W$","X$","Y$","Z$"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("net.exe","net1.exe")
| where InitiatingProcessFileName =~ "cmd.exe" // ensured run from Command Prompt
| extend cmd = tostring(ProcessCommandLine)
| where cmd matches regex @"(?i)\bnet(\.exe)?\s+share\b" and cmd matches regex @"(?i)\s/(?:delete|del)\b"
| extend ShareName = toupper(extract(@"(?i)\bshare\s+['\""]?([A-Za-z0-9_\-]+[$])['\""]?", 1, cmd))
| where ShareName in (defaultAdminShares)
| distinct ShareName | Correct | 1 | 77.84s | 0.0428 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0234 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0209 |
| gpt-5-mini-medium | C$,ADMIN$,IPC$ | // Find deletions of administrative shares (e.g., C$, ADMIN$, IPC$) performed via cmd.exe/net.exe/reg.exe
union isfuzzy=true DeviceEvents, DeviceProcessEvents
| where (ProcessCommandLine has_cs "net share" or ProcessCommandLine has_cs "net share" or InitiatingProcessCommandLine has_cs "net share"
or ProcessCommandLine has_cs "net.exe" or InitiatingProcessCommandLine has_cs "net.exe"
or ProcessCommandLine has_cs "reg delete" or InitiatingProcessCommandLine has_cs "reg delete"
or ProcessCommandLine has_cs "sc delete" or InitiatingProcessCommandLine has_cs "sc delete")
and (FileName has_cs "cmd.exe" or FileName has_cs "net.exe" or FileName has_cs "reg.exe" or FileName has_cs "sc.exe"
or InitiatingProcessFileName has_cs "cmd.exe" or InitiatingProcessFileName has_cs "net.exe" or InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessFileName has_cs "sc.exe")
| extend cmdline = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend share = extract(@"(?:net\s+share\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline))
| extend share_reg = extract(@"(?:\\\?\\)?HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost\\.*?" , 0, tostring(RegistryKey))
| extend share2 = iff(isnotempty(share), share, extract(@"(?:/delete\s+|delete\s+)([A-Za-z0-9\$]+)", 1, tostring(cmdline)))
| extend share3 = iff(isnotempty(share2), share2, extract(@"([A-Za-z]:\$|[A-Za-z0-9_]+\$)", 1, tostring(cmdline)))
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, InitiatingProcessFileName, cmdline, share = share3
| where isnotempty(share)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Count=count() by DeviceName, share
| order by LastSeen desc
| Correct | 1 | 17.15s | 0.0043 |
| gpt-5-nano-high | ADMIN$,IPC$ | let AllDeletedShares = union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated >= ago(30d)
| extend CmdLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| where CmdLine contains "net share"
| extend ShareName = tostring(extract(@"net\s+share\s+([^\\s/]+)", 1, CmdLine))
| where isnotempty(ShareName)
| summarize DeletedShareNames = makeset(ShareName);
AllDeletedShares | Correct | 2 | 78.33s | 0.0049 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0073 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0925 |
| grok-3-mini-beta | C$, IPC$, ADMIN$ | DeviceProcessEvents
| where ProcessCommandLine contains 'net share' and ProcessCommandLine contains '/delete'
| extend ShareName = extract(@'net share (\S+)', 1, ProcessCommandLine) // Extracts the share name after 'net share'
| where isnotempty(ShareName) // Ensures only valid extractions are kept
| project Timestamp, DeviceName, ShareName, ProcessCommandLine // Projects key fields for review | Correct | 1 | 20.29s | 0.0016 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 1.0645 |
| o1-low | C$,IPC$,ADMIN$ | DeviceProcessEvents
| where FileName =~ "cmd.exe"
| where ProcessCommandLine has_all ("net", "share", "/delete")
| parse kind=regex ProcessCommandLine with @"net share " ShareName @" /delete" *
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ShareName, ProcessCommandLine
| Correct | 1 | 35.22s | 0.2235 |
| o3-high | admin$,ipc$,c$ | // Administrative shares deleted from the endpoint
DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now()) // << replace/override with your time-picker
| where FileName in~ ("net.exe", "wmic.exe", "powershell.exe")
// Normalise the command line for easier string matching
| extend cmd = tolower(ProcessCommandLine)
// Keep only executions that look like a share-deletion command
| where (FileName =~ "net.exe" and cmd contains " share " and cmd contains "/delete")
or (FileName =~ "wmic.exe" and cmd contains " share " and cmd contains " delete")
or (FileName =~ "powershell.exe" and cmd contains "remove-smbshare")
// Extract the name of the share that is being deleted – pattern differs per tool
| extend DeletedShare = case(
FileName =~ "net.exe", extract("net\\s+share\\s+([^\\s]+)", 1, cmd),
FileName =~ "wmic.exe", extract("name=\"([^\"]+)\"", 1, cmd),
FileName =~ "powershell.exe", extract("-name\\s+\"([^\"]+)\"", 1, cmd),
"")
| where isnotempty(DeletedShare) and DeletedShare endswith "$" // focus on default admin shares
| project TimeGenerated,
DeviceName,
User = iff(isempty(AccountDomain), AccountName, strcat(AccountDomain, "\\", AccountName)),
FileName,
ProcessCommandLine,
DeletedShare
| sort by TimeGenerated desc | Correct | 5 | 162.96s | 0.0973 |
| o3-mini-high | %i | DeviceProcessEvents
| where InitiatingProcessFileName =~ "cmd.exe"
| where InitiatingProcessCommandLine contains "net share" and InitiatingProcessCommandLine contains "/delete"
| extend shareName = extract("net\\s+share\\s+([^\\s]+)\\s+/delete", 1, InitiatingProcessCommandLine)
| where isnotempty(shareName)
| summarize by shareName
| project shareName | Incorrect | 2 | 21.73s | 0.0136 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0351 |
| o4-mini-high | C$, IPC$, ADMIN$ | // 1) Registry-based share deletions
let RegistryDeletion = DeviceRegistryEvents
| where ActionType == "ValueDeleted"
| where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares"
| extend ShareName = RegistryValueName
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// 2) "net share <ShareName> /delete" command
let NetShareDelete = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bnet\s+share\s+\S+\s+/delete\b"
| extend ShareName = tostring(split(trim(@"/", ProcessCommandLine), ' ')[2])
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// 3) PowerShell Remove-SmbShare -Name <ShareName>
let RemoveSmbShare = DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine matches regex @"(?i)\bRemove-SmbShare\s+-Name\s+\S+\b"
| extend ShareName = extract(@"Remove-SmbShare\s+-Name\s+(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName;
// Combine all and sort descending by time
RegistryDeletion
| union NetShareDelete
| union RemoveSmbShare
| sort by TimeGenerated desc | Correct | 1 | 35.57s | 0.0137 |
| o4-mini-low | ADMIN$, IPC$, C$ | DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Catch both 32-bit and 64-bit invocations of net.exe
| where FileName in~ ("net.exe", "net1.exe")
// Look for the share deletion syntax
| where tolower(ProcessCommandLine) has "share" and tolower(ProcessCommandLine) has "/delete"
// Extract the share name between "net share" and "/delete"
| extend ShareName = extract(@"(?i)net\s+share\s+([^\s]+)\s+/delete", 1, ProcessCommandLine)
| where isnotempty(ShareName)
// List each deletion or aggregate by share
| summarize DeletionCount = count() by ShareName
| sort by DeletionCount desc | Correct | 2 | 67.66s | 0.0180 |