Question Analysis
On a Windows system, identify any PowerShell Test-NetConnection executions against an uncommon port. Which port number was checked?
21fe622f-8e53-4b31-ba83-6d333c2583f4
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
8081
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0422 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0109 |
| gpt-4-turbo-2024-04-09 | 8081 | DeviceProcessEvents
| where ProcessCommandLine contains 'Test-NetConnection'
| extend RemotePort = tostring(extract('(?i)-Port (\\d+)', 1, ProcessCommandLine))
| where RemotePort != ''
| summarize Count = count() by RemotePort
| order by Count asc | Correct | 4 | 26.44s | 0.1897 |
| gpt-4.1 | 8081 | DeviceProcessEvents
| where tolower(FileName) in ("powershell.exe", "pwsh.exe")
and tolower(ProcessCommandLine) has "test-netconnection"
| extend PortExtract = extract(@"(?i)(?:-port|/port|port)(?:\s*[:=]?\s*)([0-9]{1,5})", 1, ProcessCommandLine)
| extend PortNum = toint(PortExtract)
| where isnotempty(PortNum)
// Exclude common ports
| where PortNum !in (80,443,53,3389,445,139,22,21,25,135,137,138,110,143,3306,1433,8080,8443)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, PortNum | Correct | 4 | 30.90s | 0.0409 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0568 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0070 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0012 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0592 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0931 |
| grok-3-mini-beta | 8081 and 445 | DeviceNetworkEvents
| where InitiatingProcessCommandLine contains "Test-NetConnection"
| where RemotePort > 0 and RemotePort !in (20, 21, 22, 25, 53, 80, 110, 143, 443, 3389) // Filtering for uncommon ports
| project DeviceName, InitiatingProcessCommandLine, RemotePort, TimeGenerated
| summarize UncommonPortsChecked = make_set(RemotePort) by DeviceName // Summarizes unique uncommon ports per device | Correct | 1 | 18.31s | 0.0016 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.5769 |
| o1-low | 8081 | DeviceProcessEvents
| where (FileName =~ "powershell.exe" or InitiatingProcessFileName =~ "powershell.exe")
and (ProcessCommandLine has "Test-NetConnection" or InitiatingProcessCommandLine has "Test-NetConnection")
| extend EffectiveCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend ExtractedPort = toint(extract("(?i)-Port\\s+(\\d+)", 1, EffectiveCommandLine))
| where isnotempty(ExtractedPort)
and ExtractedPort !in (21, 22, 25, 53, 80, 443, 135, 139, 445, 3389, 8080)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ExtractedPort, EffectiveCommandLine
| order by TimeGenerated desc | Correct | 3 | 61.84s | 0.4911 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0387 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0409 |
| o4-mini-high | 8081 | DeviceProcessEvents
| where FileName has_cs "powershell.exe" or FileName has_cs "pwsh.exe"
| where tolower(ProcessCommandLine) has "test-netconnection" or tolower(ProcessCommandLine) has "tnc "
| extend cmdLower = tolower(ProcessCommandLine)
| extend Port = toint(coalesce(
extract(@"-port(?:=|:|\s+)(\d+)", 1, cmdLower),
extract(@"-p(?:=|:|\s+)(\d+)", 1, cmdLower)
))
| where Port > 0
// exclude common ports
| where Port !in (80, 443, 3389, 22, 21, 23, 25, 110, 143, 53, 445)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Port
| order by Count desc
| project Port, Count, FirstSeen, LastSeen | Correct | 4 | 177.84s | 0.0452 |
| o4-mini-low | 8081 | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Test-NetConnection"
| extend PortStr = extract(@"(?i)-Port\s+(\d+)", 1, ProcessCommandLine)
| where isnotempty(PortStr)
| extend Port = toint(PortStr)
| where Port !in (80, 443, 3389, 445)
| distinct Port | Correct | 4 | 76.10s | 0.0330 |