Question Analysis
On a Windows system, PowerShell was used to gather multiple browser credential files into a temp folder and then archive them. What was the name of the resulting ZIP file?
f543635c-1705-42c3-b180-efd6dc6e7ee7
Question ID
10/16
Models Correct
1
Valid Answer
63%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1555.003.zip
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | T1555.003.zip | DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where FileName endswith ".zip"
| where FolderPath contains "temp" or FolderPath contains @"AppData\Local\Temp"
| distinct FileName | Correct | 1 | 11.09s | 0.0046 |
| gpt-35-turbo | T1555.003.zip | DeviceFileEvents | where ActionType == 'FileCreated' | where InitiatingProcessCommandLine contains 'PowerShell' and FolderPath contains 'temp' and FileName endswith '.zip' | project FileName | Correct | 5 | 14.46s | 0.0112 |
| gpt-4-turbo-2024-04-09 | T1555.003.zip | DeviceFileEvents
| where ActionType == 'FileCreated'
and FileName has '.zip'
and FolderPath has 'temp'
and InitiatingProcessFileName == 'powershell.exe'
| project DeviceName, FileName, FolderPath, InitiatingProcessCommandLine | Correct | 1 | 11.47s | 0.0630 |
| gpt-4.1 | T1555.003.zip | DeviceFileEvents
| where ActionType =~ 'FileCreated'
| where FileName endswith '.zip'
| where FolderPath contains 'temp'
| where InitiatingProcessFileName =~ 'powershell.exe'
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 5.55s | 0.0134 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0361 |
| gpt-4.1-mini | chrome-win.zip | DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("zip", "archive", "compress", "7zip", "tar", "compress-archive")
| where ProcessCommandLine has_any ("temp", "tmp", "AppData", "Chrome", "Edge", "Firefox", "Credentials", "Passwords")
| extend ZipFileName = extract(@"[\\/]?([\w\-. ]+\.zip)", 1, ProcessCommandLine)
| where isnotempty(ZipFileName)
| project TimeGenerated, DeviceName, ProcessId, ProcessCommandLine, ZipFileName
| order by TimeGenerated desc
| distinct ZipFileName | Incorrect | 3 | 36.34s | 0.0057 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0020 |
| gpt-4o | T1555.003.zip | DeviceFileEvents
| where ActionType == "FileCreated" and InitiatingProcessCommandLine contains "powershell"
| where FileName endswith ".zip"
| project FileName | Correct | 1 | 19.06s | 0.0143 |
| grok-3-beta | T1555.003.zip | DeviceFileEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ActionType == 'FileCreated'
| where FileName endswith '.zip'
| where FolderPath contains 'temp' or FolderPath contains 'tmp'
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 14.56s | 0.0262 |
| grok-3-mini-beta | T1555.003.zip | DeviceFileEvents
| where InitiatingProcessFileName == "powershell.exe"
| where ActionType == "FileCreated"
| where FolderPath contains "Temp"
| where FileName endswith ".zip"
| project FileName, FolderPath, Timestamp
| summarize arg_max(Timestamp, *) by FileName | Correct | 1 | 16.47s | 0.0016 |
| o1-high | T1555.003.zip | DeviceFileEvents
| where ActionType == "FileCreated"
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine has "powershell"
| where FileName endswith ".zip"
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 23.02s | 0.1987 |
| o1-low | T1555.003.zip | DeviceFileEvents
| where InitiatingProcessFileName =~ "powershell.exe"
| where ActionType == "FileCreated"
| where FolderPath contains "temp"
| where FileName endswith ".zip"
| project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| order by TimeGenerated desc | Correct | 1 | 33.28s | 0.2358 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0494 |
| o3-mini-low | T1555.003.zip | DeviceFileEvents
| where FileName endswith ".zip"
| where tolower(FolderPath) contains "temp"
| where tolower(InitiatingProcessFileName) == "powershell.exe"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 15.48s | 0.0119 |
| o4-mini-high | T1560-data-ps.zip |
// First, capture PowerShell processes that ran Compress-Archive targeting a .zip
let psCompress = DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "Compress-Archive"
| where ProcessCommandLine contains ".zip"
| project DeviceId, InitiatingProcessId = ProcessId;
// Then find the matching file events for .zip files created by those PowerShell processes
DeviceFileEvents
| where InitiatingProcessFileName == "powershell.exe"
| where FileName endswith ".zip"
| join kind=inner psCompress on DeviceId, InitiatingProcessId
| distinct FileName
| project ZipFileName = FileName | Incorrect | 1 | 65.15s | 0.0151 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0442 |