Question Analysis
On a Windows system, identify any PowerShell Test-NetConnection executions against an uncommon port. Which port number was checked?
21fe622f-8e53-4b31-ba83-6d333c2583f4
Question ID
8/23
Models Correct
1
Valid Answer
35%
Success Rate
Reference Answer
Human-validated correct answer for this question
8081
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0422 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | 8081 | DeviceProcessEvents
| where ProcessCommandLine contains 'Test-NetConnection'
| extend RemotePort = tostring(extract('(?i)-Port (\\d+)', 1, ProcessCommandLine))
| where RemotePort != ''
| summarize Count = count() by RemotePort
| order by Count asc | Correct | 4 | 26.44s | 0.1897 |
| gpt-4.1 | 8081 | DeviceProcessEvents
| where tolower(FileName) in ("powershell.exe", "pwsh.exe")
and tolower(ProcessCommandLine) has "test-netconnection"
| extend PortExtract = extract(@"(?i)(?:-port|/port|port)(?:\s*[:=]?\s*)([0-9]{1,5})", 1, ProcessCommandLine)
| extend PortNum = toint(PortExtract)
| where isnotempty(PortNum)
// Exclude common ports
| where PortNum !in (80,443,53,3389,445,139,22,21,25,135,137,138,110,143,3306,1433,8080,8443)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, PortNum | Correct | 4 | 30.90s | 0.0409 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0568 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0070 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0592 |
| gpt-5-high | 8081 | let commonPorts = dynamic([20,21,22,23,25,53,67,68,69,80,88,110,123,135,137,138,139,143,161,389,443,445,465,500,514,587,636,993,995,1433,1521,3306,3389,5432,5900,5985,5986,6379,8080,8443]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("Test-NetConnection", " tnc ")
// Extract port from different ways Test-NetConnection can be used
| extend PortFromParam = toint(extract(@'(?i)-Port\s*[:=]?\s*(\d{1,5})', 1, ProcessCommandLine))
| extend CommonTCP = tolower(extract(@'(?i)-CommonTCPPort\s*[:=]?\s*([A-Za-z]+)', 1, ProcessCommandLine))
| extend PortFromCommon = case(
CommonTCP == "http", 80,
CommonTCP == "https", 443,
CommonTCP == "rdp", 3389,
CommonTCP == "winrm", 5985,
CommonTCP == "smb", 445,
CommonTCP == "ftp", 21,
CommonTCP == "telnet", 23,
CommonTCP == "ssh", 22,
int(null)
)
// Fallback if user typed tnc host:port
| extend PortFromColon = toint(extract(@'(?i)\btnc\b\s+\S+?:\s*(\d{1,5})', 1, ProcessCommandLine))
| extend PortChecked = coalesce(PortFromParam, PortFromCommon, PortFromColon)
| where PortChecked between (1 .. 65535)
| where PortChecked !in (commonPorts)
| project TimeGenerated, DeviceName, AccountName, UncommonPort = PortChecked, ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 190.83s | 0.0894 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0274 |
| gpt-5-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0105 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0187 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0074 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0931 |
| grok-3-mini-beta | 8081 and 445 | DeviceNetworkEvents
| where InitiatingProcessCommandLine contains "Test-NetConnection"
| where RemotePort > 0 and RemotePort !in (20, 21, 22, 25, 53, 80, 110, 143, 443, 3389) // Filtering for uncommon ports
| project DeviceName, InitiatingProcessCommandLine, RemotePort, TimeGenerated
| summarize UncommonPortsChecked = make_set(RemotePort) by DeviceName // Summarizes unique uncommon ports per device | Correct | 1 | 18.31s | 0.0016 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.5769 |
| o1-low | 8081 | DeviceProcessEvents
| where (FileName =~ "powershell.exe" or InitiatingProcessFileName =~ "powershell.exe")
and (ProcessCommandLine has "Test-NetConnection" or InitiatingProcessCommandLine has "Test-NetConnection")
| extend EffectiveCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend ExtractedPort = toint(extract("(?i)-Port\\s+(\\d+)", 1, EffectiveCommandLine))
| where isnotempty(ExtractedPort)
and ExtractedPort !in (21, 22, 25, 53, 80, 443, 135, 139, 445, 3389, 8080)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ExtractedPort, EffectiveCommandLine
| order by TimeGenerated desc | Correct | 3 | 61.84s | 0.4911 |
| o3-high | 8081 | // Identify PowerShell Test-NetConnection executions that specify a non-standard (uncommon) port
// ---------------------------------------------------------------------------------------------------
// 1. Define a list of well-known / routinely used ports that we want to ignore.
let CommonPorts = dynamic([
20,21,22,23,25,53,67,68,69,80,110,123,135,137,138,139,143,161,
389,443,445,465,587,636,989,990,993,995,1433,1521,3306,3389,5985,5986
]);
// 2. Pull all PowerShell processes that invoked the Test-NetConnection cmdlet and parse the value
// passed to the "-Port" parameter (case-insensitive, accepts "-Port 4444" or "-Port:4444").
let PS_TestNetConn = DeviceProcessEvents
| where tolower(FileName) in ("powershell.exe","pwsh.exe","powershell_ise.exe")
| where ProcessCommandLine contains "test-netconnection"
| extend CmdLower = tolower(ProcessCommandLine)
| extend PortStr = extract(@"-port[:\s]+([0-9]{1,5})", 1, CmdLower)
| where isnotempty(PortStr)
| extend Port = toint(PortStr)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, Port;
// 3a. Show every individual execution that targeted an uncommon port
PS_TestNetConn
| where Port !in (CommonPorts)
| order by TimeGenerated desc
// 3b. (Answer to the question) Aggregate to see which uncommon ports were checked and how often
| summarize Executions = count(), Devices = make_set(DeviceName, 10) by Port
| order by Executions desc | Correct | 3 | 80.98s | 0.0609 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0387 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0409 |
| o4-mini-high | 8081 | DeviceProcessEvents
| where FileName has_cs "powershell.exe" or FileName has_cs "pwsh.exe"
| where tolower(ProcessCommandLine) has "test-netconnection" or tolower(ProcessCommandLine) has "tnc "
| extend cmdLower = tolower(ProcessCommandLine)
| extend Port = toint(coalesce(
extract(@"-port(?:=|:|\s+)(\d+)", 1, cmdLower),
extract(@"-p(?:=|:|\s+)(\d+)", 1, cmdLower)
))
| where Port > 0
// exclude common ports
| where Port !in (80, 443, 3389, 22, 21, 23, 25, 110, 143, 53, 445)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Port
| order by Count desc
| project Port, Count, FirstSeen, LastSeen | Correct | 4 | 177.84s | 0.0452 |
| o4-mini-low | 8081 | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Test-NetConnection"
| extend PortStr = extract(@"(?i)-Port\s+(\d+)", 1, ProcessCommandLine)
| where isnotempty(PortStr)
| extend Port = toint(PortStr)
| where Port !in (80, 443, 3389, 445)
| distinct Port | Correct | 4 | 76.10s | 0.0330 |