// question
On a Windows system, security logs show a PowerShell process downloaded and executed a WinPwn script. Which function name was invoked to perform the search for credentials or other sensitive data?
Reference KQL answer and model-by-model comparison.
75f66e03-37d3-4704-9520-3210efbe33ce
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer
Human-validated correct answer for this question.
powershellsensitive
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | lazagnemodule | DeviceProcessEvents | where FileName has "powershell" | where ProcessCommandLine has "WinPwn" | extend potentialFunctionName = extract(@'WinPwn.*?(\b[a-zA-Z-]+\b)', 1, ProcessCommandLine) | where isnotempty(potentialFunctionName) | project Timestamp, DeviceName, ProcessCommandLine, potentialFunctionName | fail | 1 | 31.20s | 0.0136 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0113 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2406 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0421 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0464 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0075 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0015 |
| gpt-4o | Generalrecon | DeviceProcessEvents | where InitiatingProcessFileName contains "powershell" and InitiatingProcessCommandLine contains "WinPwn" | project InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine | fail | 1 | 2.99s | 0.0145 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.3020 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0201 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0159 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0119 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0073 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0072 |
| grok-3-beta | lazagnemodule | DeviceProcessEvents | where InitiatingProcessFileName contains "powershell.exe" | where ProcessCommandLine contains "winpwn" or ProcessCommandLine contains "credential" or ProcessCommandLine contains "password" or ProcessCommandLine contains "sensitive" or ProcessCommandLine contains "dump" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath | order by TimeGenerated desc | fail | 1 | 17.89s | 0.0324 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0073 |
| o1-high | lazagnemodule | DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "WinPwn" | parse kind=regex ProcessCommandLine with @"(Invoke-[^\s]+)" FunctionName | project TimeGenerated, DeviceName, FunctionName, ProcessCommandLine | fail | 2 | 62.66s | 0.4470 |
| o1-low | lazagnemodule | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine has "WinPwn" | parse kind=regex flags=U ProcessCommandLine with @".*(Invoke-[^\s]+).*" FunctionName | project TimeGenerated, DeviceName, ProcessCommandLine, FunctionName | order by TimeGenerated desc | fail | 2 | 68.50s | 0.4407 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.1120 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0374 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0399 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0498 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0500 |