// question

Review the process creation logs on a Windows host to uncover any tool execution indicative of a special APC injection for shellcode execution. What was the name of the executable used?

Reference KQL answer and model-by-model comparison.

4cc571b1-f450-414a-850f-879baf36aa06
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer

Human-validated correct answer for this question.

NtQueueApcThreadEx.exe
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
powershell.exe
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains "inject" or ProcessCommandLine contains "shellcode" or ProcessCommandLine contains "beacon" or ProcessCommandLine contains "payload" or FileName contains "inject" or FileName contains "shellcode" or FileName contains "beacon" or FileName contains "payload"
| distinct FileName
fail135.43s0.0198
gpt-35-turbo
no answer
no query generatedfail50.00s0.0110
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2311
gpt-4.1
no answer
no query generatedfail50.00s0.0634
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0606
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0082
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0017
gpt-4o
no answer
no query generatedfail50.00s0.0397
gpt-5-high
no answer
no query generatedfail50.00s0.2339
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0256
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0179
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0203
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0071
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0059
grok-3-beta
rundll32.exe
DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where ProcessCommandLine contains 'rundll32' or ProcessCommandLine contains 'regsvr32' or ProcessCommandLine contains 'mshta' or InitiatingProcessFileName in ('rundll32.exe', 'regsvr32.exe', 'mshta.exe')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc
fail111.36s0.0305
grok-3-mini-beta
powershell.exe, rundll32.exe
DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FileName in~ ('rundll32.exe', 'regsvr32.exe', 'powershell.exe') and (ProcessCommandLine has 'dll' or ProcessCommandLine has 'http')
| project FileName, ProcessCommandLine, Timestamp
| summarize ExecutableUsed = arg_max(FileName, *) by FileName
| project ExecutableUsed
fail115.78s0.0016
o1-high
no answer
no query generatedfail50.00s0.8757
o1-low
no answer
no query generatedfail50.00s0.7335
o3-high
gpg
// ------------- Hunt for the "Special APC" shell-code injector -----------------
let apc_keywords = dynamic(["special_apc","specialapc","special-apc","special","queueuserapc","queue_user_apc","apcinject","apc_inject","shellcode","inject"]);
DeviceProcessEvents
| where ActionType =~ "ProcessCreated"                        // keep only process-creation events
| extend lFile = tolower(FileName),
         lCmd  = tolower(ProcessCommandLine)                   // normalise for case-insensitive keyword search
| where lFile has_any(apc_keywords) or lCmd has_any(apc_keywords)
// Return the interesting details for investigation
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName,
          ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
// --- If you only need the name of the executable that performed the Special APC injection, uncomment the next line ---
// | distinct FileName
fail4161.96s0.0664
o3-mini-high
no answer
no query generatedfail50.00s0.0519
o3-mini-low
no answer
no query generatedfail50.00s0.0425
o4-mini-high
no answer
no query generatedfail50.00s0.0473
o4-mini-low
no answer
no query generatedfail50.00s0.0441