Back to DashboardBack to All Questions

Question Analysis

On Windows devices, hunt for PowerShell activity where a remote script is fetched and executed to perform LLMNR/NBNS spoofing. Which cmdlet kicked off the listener?

deecd55f-afe0-4a62-9fba-4d1ba2deb321
Question ID
7/16
Models Correct
1
Valid Answer
44%
Success Rate
Reference Answer

Human-validated correct answer for this question

Invoke-Inveigh
Model Performance Comparison

See how different AI models performed on this question

ModelAnswerKQL QueryStatusAttemptsTimeCost
gemini-2.5-flash-preview-04-17
Invoke-Inveigh
DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "LLMNR" or ProcessCommandLine has "NBNS" or ProcessCommandLine has "spoof" or ProcessCommandLine has "listener" or ProcessCommandLine has "Responder" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
Correct
1
17.93s
0.0095
gpt-35-turbo
No answer provided
No query generated
Incorrect
5
0.00s
0.0114
gpt-4-turbo-2024-04-09
No answer provided
No query generated
Incorrect
5
0.00s
0.2498
gpt-4.1
Inveigh
DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" | where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "Invoke-Expression", "wget", "curl") | where ProcessCommandLine has_any ("responder", "inveigh", "NBNS", "LLMNR", "-NBNS", "-LLMNR") | extend ListenerCmdlet = case( ProcessCommandLine has "Inveigh", "Inveigh", ProcessCommandLine has "Responder", "Responder", ProcessCommandLine has "NBNS", "NBNS", ProcessCommandLine has "LLMNR", "LLMNR", "Unknown" ) | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ListenerCmdlet
Correct
1
7.04s
0.0128
gpt-4.1-finetuned
No answer provided
No query generated
Incorrect
5
0.00s
0.0718
gpt-4.1-mini
Invoke-Inveigh
DeviceProcessEvents | where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" // Looking for command lines that download and execute remote scripts, commonly using 'Invoke-WebRequest', 'IEX', or 'Invoke-Expression' | where ProcessCommandLine has_any ("Invoke-WebRequest", "IEX", "Invoke-Expression", "DownloadString", "DownloadFile", "curl", "wget") // Look further for indications related to LLMNR/NBNS spoofing in command line | where ProcessCommandLine has_any ("LLMNR", "NBNS", "NetBIOS", "spoof", "spoofer", "Responder", "Impacket", "Invoke-DNSResponse", "nbtstat") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | top 10 by TimeGenerated desc
Correct
1
4.20s
0.0024
gpt-4.1-nano
No answer provided
No query generated
Incorrect
5
0.00s
0.0019
gpt-4o
No answer provided
No query generated
Incorrect
5
0.00s
0.0563
grok-3-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.1244
grok-3-mini-beta
Invoke-Inveigh
DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine has_any ('Invoke-WebRequest', 'IWR', 'download', 'LLMNR', 'NBNS', 'spoofing') | project DeviceName, AccountName, ProcessCommandLine, Timestamp | summarize arg_max(Timestamp, *) by ProcessCommandLine | project ProcessCommandLine
Correct
1
14.75s
0.0022
o1-high
Invoke-Inveigh
DeviceProcessEvents | where (FileName == "powershell.exe" or FileName == "pwsh.exe") // Look for commands that reference a remote HTTP source | where ProcessCommandLine has_any ("http://", "https://") // Identify the download or web request methods | where ProcessCommandLine has_any ("Invoke-WebRequest", "Invoke-RestMethod", "iwr", "irm", "New-Object Net.WebClient", "wget") // Look for signs of LLMNR/NBNS spoofing or references to Responder | where ProcessCommandLine has_any ("LLMNR", "NBNS", "Responder", "spoofing") // Extract which cmdlet actually started the listener | extend SuspectedCmdlet = extract(@"(Invoke-WebRequest|Invoke-RestMethod|iwr|irm|New-Object\s+[Nn]et\.WebClient|wget|Start-Process|netsh)",1,ProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, SuspectedCmdlet | order by TimeGenerated desc
Correct
1
45.83s
0.3035
o1-low
IEX
DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where isnotempty(ProcessCommandLine) // Identify references to remote script fetching and LLMNR/NBNS spoofing | where ProcessCommandLine has_any ("IEX", "Invoke-WebRequest", "Invoke-Expression", "Net.WebClient", "DownloadString", "Inveigh", "Responder") | where ProcessCommandLine has_any ("LLMNR", "NBNS") // Extract the cmdlet that might have kicked off the listener | extend ListenerCmdlet = extract(@"(?i)(Start-Inveigh|Invoke-Inveigh|Invoke-Expression|Invoke-WebRequest|IEX|Net\\.WebClient|DownloadString)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, ListenerCmdlet | order by TimeGenerated desc
Incorrect
5
123.03s
0.8322
o3-mini-high
set-itemproperty
DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has "DownloadString" and ProcessCommandLine has "IEX" | extend ListenerCmdlet = extract(@"(?i)(\w+-\w+)\s+.*", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessCommandLine, ListenerCmdlet | sort by TimeGenerated desc
Incorrect
1
26.79s
0.0193
o3-mini-low
Invoke-Inveigh
DeviceProcessEvents | where FileName =~ "powershell.exe" // Look for remote execution (script fetched via http(s)) and signs of LLMNR/NBNS spoofing | where ProcessCommandLine has_any ("http://", "https://") and (ProcessCommandLine has "LLMNR" or ProcessCommandLine has "NBNS" or ProcessCommandLine has "spoof") // Extract the first PowerShell cmdlet that appears in the command line (e.g. Invoke-Expression, Invoke-WebRequest, etc.) | extend ListenerCmdlet = extract("(?i)(Invoke-[a-zA-Z]+)", 1, ProcessCommandLine) | where isnotempty(ListenerCmdlet) | summarize Count = count() by ListenerCmdlet, bin(TimeGenerated, 1h) | sort by TimeGenerated desc
Correct
1
26.09s
0.0144
o4-mini-high
Invoke-Inveigh
DeviceProcessEvents // Time range is applied externally by the hunting dashboard or query tool | where FileName in ("powershell.exe", "pwsh.exe") // Identify remote fetch and execution patterns | where ProcessCommandLine has_any ("Invoke-WebRequest", "iwr", "DownloadString", "New-Object Net.WebClient", "Invoke-Expression", "iex") // Narrow to LLMNR/NBNS spoofing indicators | where ProcessCommandLine matches regex @"(?i)\b(?:llmnr|nbns|spoof)\b" // Extract the spoofing-related cmdlet (e.g., Invoke-LlmnrSpoofing, Start-NbnsSpoofing) | extend SpoofingCmdlet = extract(@"(?i)\b((?:Invoke|Start)-[A-Za-z0-9]+)\b", 1, ProcessCommandLine) | where isnotempty(SpoofingCmdlet) // Summarize which cmdlet kicked off the listener | summarize Occurrences = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCommand = any(ProcessCommandLine) by SpoofingCmdlet | order by Occurrences desc
Correct
5
181.57s
0.0542
o4-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0507