// question

On a Windows system, someone ran PowerShell to copy a file from a remote machine’s C$ share to the local TEMP folder. Using process event logs, what full PowerShell command was executed to perform this action?

Reference KQL answer and model-by-model comparison.

7762e120-5879-44ff-97f8-008b401b9a98
question id
14/23
models correct
1
valid answer
61%
success rate
// reference answer

Human-validated correct answer for this question.

copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
"powershell.exe" & {copy-item -Path \"\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password\" -Destination \"$Env:TEMP\Easter_egg.password\"}
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains "\\"
| where ProcessCommandLine contains "TEMP"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
pass17.31s0.0039
gpt-35-turbo
no answer
no query generatedfail50.00s0.0114
gpt-4-turbo-2024-04-09
'powershell.exe' & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where InitiatingProcessFileName == 'powershell.exe'
| where ProcessCommandLine has 'copy' or ProcessCommandLine has 'cp'
| where ProcessCommandLine has '\\c$' and ProcessCommandLine has 'TEMP'
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine
| sort by TimeGenerated desc
pass114.91s0.0565
gpt-4.1
"powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where tolower(FileName) in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "C$" and ProcessCommandLine has "\\" and ProcessCommandLine has "$"
| where ProcessCommandLine contains "temp" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "appdata\\local\\temp"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| sort by TimeGenerated desc
pass313.67s0.0356
gpt-4.1-finetuned
"powershell.exe" & {Remove-Item -Path \"\"\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\"\"\nRemove-Item -Path \"\"$Env:TEMP\\Easter_egg.password\"\"}
let tempPath = "\\TEMP\\";
let cshare = "$";
DeviceProcessEvents
| where ProcessCommandLine has tempPath and ProcessCommandLine has cshare
| summarize count(), make_list(ProcessCommandLine)
| order by count_ desc
| extend Full_PowerShell_Command = list_ProcessCommandLine[0]
|  project-away count_, list_ProcessCommandLine
fail110.88s0.0116
gpt-4.1-mini
powershell.exe & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where tolower(FileName) == "powershell.exe"
| where ProcessCommandLine has "\\" and ProcessCommandLine has "C$"
| where tolower(ProcessCommandLine) contains "temp"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc
| limit 10
pass326.07s0.0059
gpt-4.1-nano
copy-item
DeviceProcessEvents | where FileName has_any ('powershell', 'PowerShell') | where ProcessCommandLine contains 'copy' or ProcessCommandLine contains 'xcopy' | where ProcessCommandLine contains 'C$' and ProcessCommandLine contains 'TEMP' | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc
pass11.92s0.0005
gpt-4o
powershell.exe & {copy-item -Path \\\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password -Destination \$Env:TEMP\\Easter_egg.password}
DeviceProcessEvents
| where FileName contains "powershell" and ProcessCommandLine contains "copy" and ProcessCommandLine contains "C$" and ProcessCommandLine contains "TEMP"
| project ProcessCommandLine
pass14.13s0.0152
gpt-5-high
"powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FileName in~ ('powershell.exe','pwsh.exe','powershell_ise.exe')
// Remote admin share (\\host\c$\...)
| where ProcessCommandLine contains '\\c$\\'
// Copy via PowerShell (Copy-Item or common aliases)
| where ProcessCommandLine has_any ('copy','cp','cpi','robocopy')
// Destination mentions a TEMP location/variable
| where ProcessCommandLine contains '$env:TEMP' or ProcessCommandLine contains '$env:TMP' or
        ProcessCommandLine contains '%TEMP%' or ProcessCommandLine contains '%TMP%' or
        ProcessCommandLine contains '\\AppData\\Local\\Temp' or ProcessCommandLine contains '\\Windows\\Temp' or
        ProcessCommandLine contains ':\\Temp' or ProcessCommandLine contains '\\Temp\\'
| project TimeGenerated, DeviceName, AccountDomain, AccountName, PowerShellCommand=ProcessCommandLine
| order by TimeGenerated desc
pass5492.23s0.2804
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0257
gpt-5-mini-low
"powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
let srcRegex = @"(?i)\\\\[^\\]+\\C\$\\";  
let destRegex = @"(?i)(%temp%|\$env:TEMP|\\Temp\\|\\Users\\[^\\]+\\AppData\\Local\\Temp\\)";  
union DeviceProcessEvents, DeviceEvents  
| extend Cmd = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)  
| where isnotempty(Cmd)  
| where (FileName has "powershell" or Cmd has "powershell" or Cmd has "pwsh")  
| where Cmd matches regex srcRegex and Cmd matches regex destRegex  
| project TimeGenerated = coalesce(Timestamp, TimeGenerated), DeviceName, Account = coalesce(InitiatingProcessAccountName, AccountName), ProcessFileName = FileName, ProcessId, CommandLine = Cmd  
| order by TimeGenerated desc
pass132.16s0.0077
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0193
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0071
gpt-5-nano-medium
"powershell.exe" & {copy-item -Path \"\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password\" -Destination \"$Env:TEMP\Easter_egg.password\"}
DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh"
| where tolower(ProcessCommandLine) contains "copy-item"
| where tolower(ProcessCommandLine) contains "c$"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine
pass158.53s0.0029
grok-3-beta
powershell.exe & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where FileName contains "powershell.exe"
| where ProcessCommandLine contains "C$" and ProcessCommandLine contains "temp"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
pass114.68s0.0239
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0071
o1-high
powershell.exe & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Copy-Item", "copy")
| where ProcessCommandLine has "C$" and ProcessCommandLine has "temp"
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine
| order by TimeGenerated desc
pass145.79s0.2705
o1-low
powershell.exe&{copy-item-Path"\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password"-Destination"$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where ActionType =~ "ProcessCreated"
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has "C$" and ProcessCommandLine has "temp" and ProcessCommandLine has_any ("copy", "cp", "xcopy")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath, FileName, SHA256, InitiatingProcessCommandLine
| order by TimeGenerated desc
fail164.34s0.3868
o3-high
"powershell.exe" & {copy-item -Path \"\\127.0.0.1\\C$\\Windows\\temp\\Easter_Bunny.password\" -Destination \"$Env:TEMP\\Easter_egg.password\"}
// PowerShell file-copy from a remote C$ share to the local TEMP folder
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has_cs "powershell"             // powershell.exe, pwsh.exe, etc.
// must reference a remote administrative C$ share
| where ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\c$"
// indication of a copy operation
| where ProcessCommandLine has_any ("copy-item", "Copy-Item", " copy ", "copy ")
// destination is some form of the local temporary directory
| where ProcessCommandLine has_any ("%temp%", "\\temp\\", "\\Temp\\", "windows\\temp", "$env:TEMP", "$env:temp")
// ————————————————————————————————————————
| project TimeGenerated,
          DeviceName,
          AccountDomain,
          AccountName,
          FileName,
          ProcessCommandLine
| order by TimeGenerated desc
pass268.80s0.0366
o3-mini-high
no answer
no query generatedfail50.00s0.0425
o3-mini-low
no answer
no query generatedfail50.00s0.0437
o4-mini-high
"powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Copy-Item"
      and ProcessCommandLine contains "\\C$"
      and ProcessCommandLine contains "Temp"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| sort by Timestamp desc
pass140.35s0.0149
o4-mini-low
"powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"}
DeviceProcessEvents
| where ActionType == "ProcessCreated"
// Only look at PowerShell processes
| where FileName has "powershell" or ProcessCommandLine has "powershell"
// Filter for UNC path pointing to a C$ share and local TEMP folder
| where ProcessCommandLine has "\\" 
| where tolower(ProcessCommandLine) has "c$"
| where tolower(ProcessCommandLine) has "temp"
// Select relevant fields
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
// Order by most recent
| order by TimeGenerated desc
pass282.32s0.0248