// question

On a Windows system, security logs show a PowerShell process downloaded and executed a WinPwn script. Which function name was invoked to perform the search for credentials or other sensitive data?

Reference KQL answer and model-by-model comparison.

75f66e03-37d3-4704-9520-3210efbe33ce
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer

Human-validated correct answer for this question.

powershellsensitive
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
lazagnemodule
DeviceProcessEvents
| where FileName has "powershell"
| where ProcessCommandLine has "WinPwn"
| extend potentialFunctionName = extract(@'WinPwn.*?(\b[a-zA-Z-]+\b)', 1, ProcessCommandLine)
| where isnotempty(potentialFunctionName)
| project Timestamp, DeviceName, ProcessCommandLine, potentialFunctionName
fail131.20s0.0136
gpt-35-turbo
no answer
no query generatedfail50.00s0.0113
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2406
gpt-4.1
no answer
no query generatedfail50.00s0.0421
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0464
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0075
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
Generalrecon
DeviceProcessEvents
| where InitiatingProcessFileName contains "powershell" and InitiatingProcessCommandLine contains "WinPwn"
| project InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine
fail12.99s0.0145
gpt-5-high
no answer
no query generatedfail50.00s0.3020
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0201
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0159
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0119
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0073
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0072
grok-3-beta
lazagnemodule
DeviceProcessEvents
| where InitiatingProcessFileName contains "powershell.exe"
| where ProcessCommandLine contains "winpwn" or ProcessCommandLine contains "credential" or ProcessCommandLine contains "password" or ProcessCommandLine contains "sensitive" or ProcessCommandLine contains "dump"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, FolderPath
| order by TimeGenerated desc
fail117.89s0.0324
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0073
o1-high
lazagnemodule
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "WinPwn"
| parse kind=regex ProcessCommandLine with @"(Invoke-[^\s]+)" FunctionName
| project TimeGenerated, DeviceName, FunctionName, ProcessCommandLine
fail262.66s0.4470
o1-low
lazagnemodule
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "WinPwn"
| parse kind=regex flags=U ProcessCommandLine with @".*(Invoke-[^\s]+).*" FunctionName
| project TimeGenerated, DeviceName, ProcessCommandLine, FunctionName
| order by TimeGenerated desc
fail268.50s0.4407
o3-high
no answer
no query generatedfail50.00s0.1120
o3-mini-high
no answer
no query generatedfail50.00s0.0374
o3-mini-low
no answer
no query generatedfail50.00s0.0399
o4-mini-high
no answer
no query generatedfail50.00s0.0498
o4-mini-low
no answer
no query generatedfail50.00s0.0500