Question Analysis
Review Windows process execution logs for any PowerShell activity that retrieves the system clock. Which command was executed?
1d5711d6-655c-4a47-ae9c-6503c74fa877
Question ID
13/16
Models Correct
1
Valid Answer
81%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-Date
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Get-Date" or ProcessCommandLine has "[System.DateTime]::Now"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 7.58s | 0.0032 |
| gpt-35-turbo | Get-Date | DeviceProcessEvents | where ProcessCommandLine contains 'Get-Date' or ProcessCommandLine contains 'DateTime' | Correct | 1 | 2.33s | 0.0039 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2324 |
| gpt-4.1 | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("Get-Date", "[System.DateTime]", "w32tm")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine | Correct | 1 | 4.79s | 0.0114 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0405 |
| gpt-4.1-mini | Get-Date | DeviceProcessEvents
| where FileName has_cs "powershell"
| where ProcessCommandLine has_any ("date", "time", "get-date", "systemclock")
| project TimeGenerated, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 21.72s | 0.0026 |
| gpt-4.1-nano | Get-Date | DeviceProcessEvents
| where ProcessCommandLine has_any ("Get-Date", "get-date")
| project TimeGenerated, DeviceName, ProcessCommandLine | Correct | 1 | 1.59s | 0.0005 |
| gpt-4o | Invoke-AtomicTest T1124 | DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has_any ("Get-Date", "system clock")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, AccountName | Incorrect | 1 | 5.61s | 0.0151 |
| grok-3-beta | Get-Date | DeviceProcessEvents
| where FileName contains "powershell" or InitiatingProcessFileName contains "powershell"
| where ProcessCommandLine has_any ("Get-Date", "System.DateTime", "date", "time") or InitiatingProcessCommandLine has_any ("Get-Date", "System.DateTime", "date", "time")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime
| order by Timestamp desc | Correct | 1 | 8.65s | 0.0286 |
| grok-3-mini-beta | Get-Date | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-Date' or ProcessCommandLine contains '[DateTime]::Now' or ProcessCommandLine contains '[System.DateTime]::Now'
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 1 | 14.04s | 0.0016 |
| o1-high | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe" or ProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "Get-Date"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 28.95s | 0.2065 |
| o1-low | Get-Date | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("Get-Date", "Win32_LocalTime")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 25.09s | 0.1976 |
| o3-mini-high | Get-Date | DeviceProcessEvents
| where (FileName has "powershell.exe" or InitiatingProcessFileName has "powershell.exe")
| where ProcessCommandLine has "Get-Date"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | Correct | 1 | 6.89s | 0.0086 |
| o3-mini-low | Get-Date | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) contains "powershell"
| where tolower(InitiatingProcessCommandLine) contains "get-date"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 12.86s | 0.0122 |
| o4-mini-high | Get-Date | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// look for commands that retrieve or query the system time
| where ProcessCommandLine has "get-date"
or ProcessCommandLine matches regex @"(?i)\[datetime\]::(Now|UtcNow)"
or ProcessCommandLine matches regex @"(?i)\bw32tm\b"
or ProcessCommandLine matches regex @"(?i)\bnet\s+time\b"
or ProcessCommandLine matches regex @"(?i)get-wmiobject.*time"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 50.71s | 0.0168 |
| o4-mini-low | Get-Date | DeviceProcessEvents
// Restrict to PowerShell executables
| where FileName in~ ("powershell.exe", "pwsh.exe")
// Look for the Get-Date cmdlet which retrieves the system clock
| where ProcessCommandLine has "Get-Date"
// Project the fields of interest
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 29.22s | 0.0083 |