Question Analysis
Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed?
69119e58-96db-4110-ad27-954e48f3bb13
Question ID
12/16
Models Correct
1
Valid Answer
75%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-WMIObject Win32_Group
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-WMIObject Win32_Group | DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("Win32_Group", "Get-LocalGroup", "wmic group")
| project Timestamp, DeviceName, ProcessCommandLine | Correct | 1 | 7.52s | 0.0027 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | "powershell.exe" & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where FileName has 'powershell.exe' or FileName has 'pwsh.exe'
| where ProcessCommandLine has 'Get-WmiObject' and (ProcessCommandLine has 'Win32_Group' or ProcessCommandLine has 'Win32_GroupUser')
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 10.81s | 0.0522 |
| gpt-4.1 | "powershell.exe" & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "powershell")
| where ProcessCommandLine has_any ("Get-WmiObject Win32_Group", "gwmi win32_group", "wmic group", "Get-CimInstance Win32_Group", "Get-WmiObject -Class Win32_Group")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | Correct | 2 | 8.96s | 0.0216 |
| gpt-4.1-finetuned | & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine matches regex "(?i)\bps\b"
| where ProcessCommandLine has "get-wmiobject" and ProcessCommandLine has "win32_group"
| extend Account = tostring(split(AccountName,'@',0)[0]),AccountDomain = tostring(split(AccountName,'@',1)[0])
| where Account != "NT AUTHORITY" and Account != "Window Manager" and Account != "DWM-1" and Account != "UMFD-0" and Account != "AUTORUN"
| extend Name = tostring(split(AccountName,'@',0)[0]), UPNSuffix = tostring(split(AccountName,'@',1)[0])
| project-reorder TimeGenerated,AccountName,FileName,ProcessCommandLine,InitiatingProcessCommandLine
| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, FileHashCustomEntity = SHA256 | Correct | 1 | 11.36s | 0.0176 |
| gpt-4.1-mini | Get-WMIObject Win32_Group | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Win32_Group" or ProcessCommandLine contains "LocalGroup"
| project DeviceName, InitiatingProcessAccountName, ProcessCreationTime, ProcessCommandLine
| order by ProcessCreationTime desc | Correct | 1 | 4.49s | 0.0025 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0013 |
| gpt-4o | Get-WMIObject Win32_Group | DeviceProcessEvents
| where FileName == "powershell.exe"
and isnotempty(ProcessCommandLine)
and (ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "wmic")
and (ProcessCommandLine has "localgroup" or ProcessCommandLine has "group")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 3.17s | 0.0145 |
| grok-3-beta | Get-WMIObject Win32_Group | DeviceProcessEvents
| where InitiatingProcessFileName in ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine contains 'Get-WmiObject' or ProcessCommandLine contains 'Win32_Group' or ProcessCommandLine contains 'group' or ProcessCommandLine contains 'wmi'
| project DeviceName, AccountName, ProcessCommandLine, Timestamp
| order by Timestamp desc | Correct | 1 | 10.32s | 0.0261 |
| grok-3-mini-beta | "powershell.exe" & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-WmiObject' and ProcessCommandLine contains 'Win32_Group'
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 1 | 13.33s | 0.0016 |
| o1-high | "powershell.exe" & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi")
| where ProcessCommandLine has "Win32_Group"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 48.88s | 0.2647 |
| o1-low | "powershell.exe" & {Get-WMIObject Win32_Group} | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Win32_Group", "Win32_GroupUser")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 39.32s | 0.2950 |
| o3-mini-high | Invoke-AtomicTest | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ((tolower(InitiatingProcessCommandLine) has "get-wmiobject") or (tolower(ProcessCommandLine) has "get-wmiobject"))
and ((tolower(InitiatingProcessCommandLine) has "win32_group") or (tolower(ProcessCommandLine) has "win32_group"))
| project TimeGenerated, DeviceName, ExactCommand = iif(isnotempty(InitiatingProcessCommandLine), InitiatingProcessCommandLine, ProcessCommandLine)
| sort by TimeGenerated desc | Incorrect | 4 | 60.30s | 0.0452 |
| o3-mini-low | Get-WMIObject | union DeviceProcessEvents, DeviceEvents
| extend PSCommand = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, tostring(AdditionalFields.CommandLine))
| where tolower(PSCommand) contains "powershell"
| where tolower(PSCommand) contains "win32_group" and (tolower(PSCommand) contains "get-wmiobject" or tolower(PSCommand) contains "gwmi")
| project TimeGenerated, DeviceName, AccountName, PSCommand
| order by TimeGenerated desc | Correct | 4 | 60.95s | 0.0389 |
| o4-mini-high | Get-WMIObject Win32_Group | DeviceProcessEvents
| where ProcessCommandLine has "powershell"
| where ProcessCommandLine has_any ("Win32_Group", "Get-WmiObject", "Invoke-WmiMethod", "wmic group")
| project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 64.04s | 0.0241 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0391 |