// question
Review the process creation logs on a Windows host to uncover any tool execution indicative of a special APC injection for shellcode execution. What was the name of the executable used?
Reference KQL answer and model-by-model comparison.
4cc571b1-f450-414a-850f-879baf36aa06
question id
0/23
models correct
1
valid answer
0%
success rate
// reference answer
Human-validated correct answer for this question.
NtQueueApcThreadEx.exe
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | powershell.exe | DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine contains "inject" or ProcessCommandLine contains "shellcode" or ProcessCommandLine contains "beacon" or ProcessCommandLine contains "payload" or FileName contains "inject" or FileName contains "shellcode" or FileName contains "beacon" or FileName contains "payload" | distinct FileName | fail | 1 | 35.43s | 0.0198 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0110 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2311 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0634 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0606 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0082 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0017 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0397 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.2339 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0256 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0179 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0203 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0071 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0059 |
| grok-3-beta | rundll32.exe | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where ProcessCommandLine contains 'rundll32' or ProcessCommandLine contains 'regsvr32' or ProcessCommandLine contains 'mshta' or InitiatingProcessFileName in ('rundll32.exe', 'regsvr32.exe', 'mshta.exe')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc | fail | 1 | 11.36s | 0.0305 |
| grok-3-mini-beta | powershell.exe, rundll32.exe | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where FileName in~ ('rundll32.exe', 'regsvr32.exe', 'powershell.exe') and (ProcessCommandLine has 'dll' or ProcessCommandLine has 'http')
| project FileName, ProcessCommandLine, Timestamp
| summarize ExecutableUsed = arg_max(FileName, *) by FileName
| project ExecutableUsed | fail | 1 | 15.78s | 0.0016 |
| o1-high | no answer | no query generated | fail | 5 | 0.00s | 0.8757 |
| o1-low | no answer | no query generated | fail | 5 | 0.00s | 0.7335 |
| o3-high | gpg | // ------------- Hunt for the "Special APC" shell-code injector -----------------
let apc_keywords = dynamic(["special_apc","specialapc","special-apc","special","queueuserapc","queue_user_apc","apcinject","apc_inject","shellcode","inject"]);
DeviceProcessEvents
| where ActionType =~ "ProcessCreated" // keep only process-creation events
| extend lFile = tolower(FileName),
lCmd = tolower(ProcessCommandLine) // normalise for case-insensitive keyword search
| where lFile has_any(apc_keywords) or lCmd has_any(apc_keywords)
// Return the interesting details for investigation
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
// --- If you only need the name of the executable that performed the Special APC injection, uncomment the next line ---
// | distinct FileName | fail | 4 | 161.96s | 0.0664 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0519 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0425 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0473 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0441 |