Question Analysis

On Windows, review PowerShell process events to spot where a remote .ps1 was fetched and run to pull vault credentials. Determine the name of the script file that was downloaded.

c89becbe-1758-4e7d-a0f4-97d2188a23e3
Question ID
6/16
Models Correct
1
Valid Answer
38%
Success Rate
Reference Answer

Human-validated correct answer for this question

GetCredmanCreds.ps1
Model Performance Comparison

See how different AI models performed on this question

ModelAnswerKQL QueryStatusAttemptsTimeCost
gemini-2.5-flash-preview-04-17
GetCredmanCreds.ps1
DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" // Look for common in-memory execution patterns involving remote sources | where ProcessCommandLine has_any ("iex", "invoke-expression", "downloadstring", "invoke-webrequest") and (ProcessCommandLine has "http://" or ProcessCommandLine has "https://") // Extract potential remote source URL from the command line | extend RemoteSourceUrl = extract(@'http[s]?://[^\s"]+', 0, ProcessCommandLine) // Attempt to get the path/filename part from the URL | extend PotentialScriptName = iif(isnotempty(RemoteSourceUrl), parse_url(RemoteSourceUrl).Path, "") | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, RemoteSourceUrl, PotentialScriptName, ProcessId
Correct
1
31.70s
0.0162
gpt-35-turbo
No answer provided
No query generated
Incorrect
5
0.00s
0.0110
gpt-4-turbo-2024-04-09
No answer provided
No query generated
Incorrect
5
0.00s
0.2672
gpt-4.1
No answer provided
No query generated
Incorrect
5
0.00s
0.0601
gpt-4.1-finetuned
No answer provided
No query generated
Incorrect
5
0.00s
0.0325
gpt-4.1-mini
GetCredmanCreds.ps1
DeviceProcessEvents | where FileName has "powershell" or FileName has "pwsh" | where ProcessCommandLine has "http" or ProcessCommandLine has "https" | extend ScriptUri = extract(@"(https?://[^\s']+\.ps1)", 1, ProcessCommandLine) | where isnotempty(ScriptUri) | extend ScriptName = extract(@"([^/]+\.ps1)", 1, ScriptUri) | project TimeGenerated, DeviceName, AccountName, ProcessCreationTime, ProcessCommandLine, ScriptUri, ScriptName | order by TimeGenerated desc
Correct
1
4.50s
0.0036
gpt-4.1-nano
No answer provided
No query generated
Incorrect
5
0.00s
0.0015
gpt-4o
No answer provided
No query generated
Incorrect
5
0.00s
0.0686
grok-3-beta
No answer provided
No query generated
Incorrect
5
0.00s
0.0987
grok-3-mini-beta
T1572-doh-beacon.ps1
DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine contains '.ps1' and (ProcessCommandLine contains 'http' or ProcessCommandLine contains 'Invoke-WebRequest') | project ScriptFileName = extract(@"[^\\]+?\.ps1$", 0, ProcessCommandLine), Timestamp, DeviceName, ProcessCommandLine | summarize arg_max(Timestamp, *) by ScriptFileName | order by Timestamp desc | limit 100 // Limit results for review; adjust as needed
Incorrect
1
16.97s
0.0016
o1-high
No answer provided
No query generated
Incorrect
5
0.00s
0.8259
o1-low
GetCredmanCreds.ps1
DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("http://", "https://") and ProcessCommandLine has ".ps1" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, DownloadedScript = extract("(https?://[^ ]+\\.ps1)", 0, ProcessCommandLine) | order by TimeGenerated desc
Correct
2
55.42s
0.4529
o3-mini-high
GetCredmanCreds.ps1
DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine matches regex "https?://[^\\s]+\\.ps1" | extend ScriptFullURL = extract("(https?://[^\\s]+\\.ps1)", 1, ProcessCommandLine) | extend ScriptName = tostring(split(ScriptFullURL, "/")[-1]) | project TimeGenerated, DeviceName, ProcessCommandLine, ScriptName
Correct
3
31.53s
0.0281
o3-mini-low
GetCredmanCreds.ps1
DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine contains ".ps1" and ProcessCommandLine contains "http" | extend ScriptName = extract(@"(?:http[s]?://\S*/)?([\w\-.]+\.ps1)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, ProcessId, ScriptName, ProcessCommandLine | order by TimeGenerated desc
Correct
2
101.05s
0.0243
o4-mini-high
GetCredmanCreds.ps1
DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine matches regex @"https?://\S+?\.ps1" | extend ScriptUrl = extract(@"https?://\S+?\.ps1", 0, ProcessCommandLine) | extend ScriptName = extract(@"([^/]+\.ps1)$", 1, ScriptUrl) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ScriptUrl, ScriptName, ProcessCommandLine | sort by TimeGenerated desc
Correct
2
103.80s
0.0260
o4-mini-low
No answer provided
No query generated
Incorrect
5
0.00s
0.0420