Question Analysis
On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting?
9059e8de-3d7d-4954-a322-46161880b9cf
Question ID
5/23
Models Correct
1
Valid Answer
22%
Success Rate
Reference Answer
Human-validated correct answer for this question
Enable-PSRemoting -Force
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0206 |
| gpt-35-turbo | Enable-PSRemoting -Force | DeviceProcessEvents
| where ProcessCommandLine contains 'Enable-PSRemoting -Force' | Correct | 1 | 1.97s | 0.0032 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2305 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0415 |
| gpt-4.1-finetuned | Enable-PSRemoting -Force | DeviceProcessEvents
| where ProcessCommandLine has_all ("powershell", "enable-psremoting")
| project Timestamp, ProcessCommandLine, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessParentFileName
| order by Timestamp desc | Correct | 3 | 46.20s | 0.0170 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0083 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | Enable-PSRemoting -Force | DeviceProcessEvents
| where FileName endswith "powershell.exe"
and ProcessTokenElevation != ""
and ProcessTokenElevation !in ("Default")
and (isnotempty(IsInitiatingProcessRemoteSession) or isnotempty(IsProcessRemoteSession))
| where ProcessCommandLine contains "Enable-PSRemoting" or ProcessCommandLine contains "winrm quickconfig" or ProcessCommandLine contains "Set-WSManQuickConfig"
| project DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TimeGenerated | Correct | 5 | 29.47s | 0.0516 |
| gpt-5-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2888 |
| gpt-5-mini-high | Enable-PSRemoting -Force | union isfuzzy=true DeviceProcessEvents, DeviceEvents
| where (tolower(FileName) contains "powershell" or tolower(FileName) contains "pwsh" or tolower(ProcessCommandLine) contains "powershell" or tolower(ProcessCommandLine) contains "pwsh")
// Look for common PSRemoting enabling commands
| where (
tolower(ProcessCommandLine) contains "enable-psremoting"
or tolower(ProcessCommandLine) contains "winrm quickconfig"
or tolower(ProcessCommandLine) contains "set-item wsman"
or tolower(ProcessCommandLine) contains "enable-wsmancredssp"
or tolower(ProcessCommandLine) contains "enable-pssessionconfiguration"
)
// Restrict to elevated sessions (token elevation or high integrity)
| where (
tolower(ProcessTokenElevation) contains "elev"
or tolower(InitiatingProcessTokenElevation) contains "elev"
or tolower(ProcessIntegrityLevel) contains "high"
or tolower(InitiatingProcessIntegrityLevel) contains "high"
)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine, InitiatingProcessCommandLine, ProcessTokenElevation, InitiatingProcessTokenElevation, ReportId, _ResourceId
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 28.00s | 0.0065 |
| gpt-5-mini-low | Enable-PSRemoting -Force | // Find PowerShell executions that enabled PSRemoting or related WSMan settings
let RemotingPatterns = dynamic(["Enable-PSRemoting","Enable-WSManCredSSP","Enable-PsRemoting","winrm quickconfig","winrm qc","Set-Item -Path WSMan:","Set-WSManQuickConfig","Enable-WSMan","Configure-SMRemoting"]);
let pwshNames = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
// DeviceProcessEvents: has elevation fields
let dpe = DeviceProcessEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceProcessEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, ProcessTokenElevation, InitiatingProcessTokenElevation, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend ElevationConcat = tolower(coalesce(ProcessTokenElevation, InitiatingProcessTokenElevation, ""))
| extend IsElevated = case(ElevationConcat contains "high" or ElevationConcat contains "elevat" or ElevationConcat contains "%%16895", "Yes", ElevationConcat == "" or ElevationConcat == "unknown", "Unknown", "No");
// DeviceEvents: may not have token elevation reliably
let de = DeviceEvents
| where TimeGenerated >= ago(30d)
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or FileName has_any(pwshNames)
| where ProcessCommandLine has_any(RemotingPatterns) or InitiatingProcessCommandLine has_any(RemotingPatterns) or FileName has_any(pwshNames)
| extend FullCommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| project TimeGenerated, SourceTable = "DeviceEvents", DeviceName, DeviceId, AccountDomain, AccountName, FullCommandLine, InitiatingCommandLine = InitiatingProcessCommandLine, InitiatingFile = InitiatingProcessFileName, InitiatingSession = InitiatingProcessSessionId, ReportId, FileName
| extend IsElevated = "Unknown";
union dpe, de
| extend DetectedCommand = extract(@"(?i)((Enable-PSRemoting|Enable-WSManCredSSP|Enable-PsRemoting|winrm\s+quickconfig|winrm\s+qc|Set-Item\s+-Path\s+WSMan:|Set-WSManQuickConfig|Enable-WSMan)[^\r\n;]{0,400})", 1, FullCommandLine)
| where isnotempty(DetectedCommand)
| where IsElevated == "Yes" or IsElevated == "Unknown"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), AnyAccount = any(AccountName), AnyInitiatingFile = any(InitiatingFile), AnyInitiatingSession = any(InitiatingSession), AnyFileName = any(FileName), AnyReportId = any(ReportId) by DeviceId, DeviceName, IsElevated, DetectedCommand, FullCommandLine, SourceTable
| order by LastSeen desc
| project FirstSeen, LastSeen, Count, DeviceName, DeviceId, IsElevated, DetectedCommand, FullCommandLine, SourceTable, AnyAccount, AnyInitiatingFile, AnyInitiatingSession, AnyFileName, AnyReportId | Correct | 4 | 375.33s | 0.0730 |
| gpt-5-mini-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0177 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0075 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0061 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0908 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0070 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7783 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8859 |
| o3-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.1136 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0423 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0470 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0477 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0397 |