Question Analysis
On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting?
9059e8de-3d7d-4954-a322-46161880b9cf
Question ID
3/16
Models Correct
1
Valid Answer
19%
Success Rate
Reference Answer
Human-validated correct answer for this question
Enable-PSRemoting -Force
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0206 |
| gpt-35-turbo | Enable-PSRemoting -Force | DeviceProcessEvents
| where ProcessCommandLine contains 'Enable-PSRemoting -Force' | Correct | 1 | 1.97s | 0.0032 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2305 |
| gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0415 |
| gpt-4.1-finetuned | Enable-PSRemoting -Force | DeviceProcessEvents
| where ProcessCommandLine has_all ("powershell", "enable-psremoting")
| project Timestamp, ProcessCommandLine, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessParentFileName
| order by Timestamp desc | Correct | 3 | 46.20s | 0.0170 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0083 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | Enable-PSRemoting -Force | DeviceProcessEvents
| where FileName endswith "powershell.exe"
and ProcessTokenElevation != ""
and ProcessTokenElevation !in ("Default")
and (isnotempty(IsInitiatingProcessRemoteSession) or isnotempty(IsProcessRemoteSession))
| where ProcessCommandLine contains "Enable-PSRemoting" or ProcessCommandLine contains "winrm quickconfig" or ProcessCommandLine contains "Set-WSManQuickConfig"
| project DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TimeGenerated | Correct | 5 | 29.47s | 0.0516 |
| grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0908 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0070 |
| o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.7783 |
| o1-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8859 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0423 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0470 |
| o4-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0477 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0397 |