Question Analysis
On Windows, review PowerShell process events to spot where a remote .ps1 was fetched and run to pull vault credentials. Determine the name of the script file that was downloaded.
c89becbe-1758-4e7d-a0f4-97d2188a23e3
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer
Human-validated correct answer for this question
GetCredmanCreds.ps1
Model Performance Comparison
See how different AI models performed on this question
Model | Answer | KQL Query | Status | Attempts | Time | Cost |
---|---|---|---|---|---|---|
gemini-2.5-flash-preview-04-17 | GetCredmanCreds.ps1 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName =~ "powershell.exe"
// Look for common in-memory execution patterns involving remote sources
| where ProcessCommandLine has_any ("iex", "invoke-expression", "downloadstring", "invoke-webrequest")
and (ProcessCommandLine has "http://" or ProcessCommandLine has "https://")
// Extract potential remote source URL from the command line
| extend RemoteSourceUrl = extract(@'http[s]?://[^\s"]+', 0, ProcessCommandLine)
// Attempt to get the path/filename part from the URL
| extend PotentialScriptName = iif(isnotempty(RemoteSourceUrl), parse_url(RemoteSourceUrl).Path, "")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, RemoteSourceUrl, PotentialScriptName, ProcessId | Correct | 1 | 31.70s | 0.0162 |
gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0110 |
gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2672 |
gpt-4.1 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0601 |
gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0325 |
gpt-4.1-mini | GetCredmanCreds.ps1 | DeviceProcessEvents
| where FileName has "powershell" or FileName has "pwsh"
| where ProcessCommandLine has "http" or ProcessCommandLine has "https"
| extend ScriptUri = extract(@"(https?://[^\s']+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptUri)
| extend ScriptName = extract(@"([^/]+\.ps1)", 1, ScriptUri)
| project TimeGenerated, DeviceName, AccountName, ProcessCreationTime, ProcessCommandLine, ScriptUri, ScriptName
| order by TimeGenerated desc | Correct | 1 | 4.50s | 0.0036 |
gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0015 |
gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0686 |
grok-3-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0987 |
grok-3-mini-beta | T1572-doh-beacon.ps1 | DeviceProcessEvents
| where FileName == 'powershell.exe'
| where ProcessCommandLine contains '.ps1' and (ProcessCommandLine contains 'http' or ProcessCommandLine contains 'Invoke-WebRequest')
| project ScriptFileName = extract(@"[^\\]+?\.ps1$", 0, ProcessCommandLine), Timestamp, DeviceName, ProcessCommandLine
| summarize arg_max(Timestamp, *) by ScriptFileName
| order by Timestamp desc
| limit 100 // Limit results for review; adjust as needed | Incorrect | 1 | 16.97s | 0.0016 |
o1-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.8259 |
o1-low | GetCredmanCreds.ps1 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("http://", "https://") and ProcessCommandLine has ".ps1"
| project TimeGenerated,
DeviceName,
AccountName,
ProcessCommandLine,
DownloadedScript = extract("(https?://[^ ]+\\.ps1)", 0, ProcessCommandLine)
| order by TimeGenerated desc | Correct | 2 | 55.42s | 0.4529 |
o3-mini-high | GetCredmanCreds.ps1 | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine matches regex "https?://[^\\s]+\\.ps1"
| extend ScriptFullURL = extract("(https?://[^\\s]+\\.ps1)", 1, ProcessCommandLine)
| extend ScriptName = tostring(split(ScriptFullURL, "/")[-1])
| project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName | Correct | 3 | 31.53s | 0.0281 |
o3-mini-low | GetCredmanCreds.ps1 | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine contains ".ps1" and ProcessCommandLine contains "http"
| extend ScriptName = extract(@"(?:http[s]?://\S*/)?([\w\-.]+\.ps1)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessId, ScriptName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 101.05s | 0.0243 |
o4-mini-high | GetCredmanCreds.ps1 | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine matches regex @"https?://\S+?\.ps1"
| extend ScriptUrl = extract(@"https?://\S+?\.ps1", 0, ProcessCommandLine)
| extend ScriptName = extract(@"([^/]+\.ps1)$", 1, ScriptUrl)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ScriptUrl, ScriptName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 103.80s | 0.0260 |
o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0420 |