Question Analysis
Review Windows process execution logs for any PowerShell activity that retrieves the system clock. Which command was executed?
1d5711d6-655c-4a47-ae9c-6503c74fa877
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
Get-Date
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Get-Date" or ProcessCommandLine has "[System.DateTime]::Now"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine | Correct | 1 | 7.58s | 0.0032 |
| gpt-35-turbo | Get-Date | DeviceProcessEvents | where ProcessCommandLine contains 'Get-Date' or ProcessCommandLine contains 'DateTime' | Correct | 1 | 2.33s | 0.0039 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2324 |
| gpt-4.1 | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any ("Get-Date", "[System.DateTime]", "w32tm")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine | Correct | 1 | 4.79s | 0.0114 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0405 |
| gpt-4.1-mini | Get-Date | DeviceProcessEvents
| where FileName has_cs "powershell"
| where ProcessCommandLine has_any ("date", "time", "get-date", "systemclock")
| project TimeGenerated, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 21.72s | 0.0026 |
| gpt-4.1-nano | Get-Date | DeviceProcessEvents
| where ProcessCommandLine has_any ("Get-Date", "get-date")
| project TimeGenerated, DeviceName, ProcessCommandLine | Correct | 1 | 1.59s | 0.0005 |
| gpt-4o | Invoke-AtomicTest T1124 | DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has_any ("Get-Date", "system clock")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, AccountName | Incorrect | 1 | 5.61s | 0.0151 |
| gpt-5-high | Get-Date | let psHosts = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
DeviceProcessEvents
| where FileName in~ (psHosts)
| extend PCL = tostring(ProcessCommandLine), PCL_L = tolower(ProcessCommandLine)
| where PCL_L matches regex @"\b(get-date|\[(system\.)?datetime\]::(utc)?now|get-(wmiobject|ciminstance).*(win32_)?(localtime|utctime)|wmic\s+os\s+get\s+localdatetime)\b"
| extend ClockCommand =
case(
PCL_L matches regex @"\bget-date\b", "Get-Date",
PCL_L matches regex @"\[(system\.)?datetime\]::utcnow\b", "[DateTime]::UtcNow",
PCL_L matches regex @"\[(system\.)?datetime\]::now\b", "[DateTime]::Now",
PCL_L matches regex @"\bget-ciminstance\b.*\b(win32_)?(localtime|utctime)\b", "Get-CimInstance Win32_(LocalTime|UTCTime)",
PCL_L matches regex @"\bget-wmiobject\b.*\b(win32_)?(localtime|utctime)\b", "Get-WmiObject Win32_(LocalTime|UTCTime)",
PCL_L matches regex @"\bwmic\s+os\s+get\s+localdatetime\b", "wmic os get localdatetime",
"Clock retrieval")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, CommandExecuted=PCL, ClockCommand, InitiatingProcessParentFileName, InitiatingProcessParentId, ProcessId
| order by TimeGenerated desc | Correct | 1 | 112.38s | 0.0492 |
| gpt-5-mini-high | Get-Date | let time_patterns = dynamic(["get-date","[datetime]::now","[datetime]::utcnow","get-ciminstance","win32_operatingsystem","get-wmiobject","w32tm","get-uptime","get-timezone","get-culture"]);
union DeviceProcessEvents, DeviceEvents
| where (
tolower(FileName) in ('powershell.exe','pwsh.exe','powershell_ise.exe')
or tolower(ProcessCommandLine) contains "powershell"
or tolower(ProcessCommandLine) contains "pwsh"
or tolower(InitiatingProcessFileName) in ('powershell.exe','pwsh.exe','powershell_ise.exe')
or tolower(InitiatingProcessCommandLine) contains "powershell"
or tolower(InitiatingProcessCommandLine) contains "pwsh"
)
| where (
(isnotempty(ProcessCommandLine) and tolower(ProcessCommandLine) has_any (time_patterns))
or (isnotempty(InitiatingProcessCommandLine) and tolower(InitiatingProcessCommandLine) has_any (time_patterns))
or (isnotempty(tostring(AdditionalFields)) and tolower(tostring(AdditionalFields)) has_any (time_patterns))
)
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, ActionType, ReportId
| order by TimeGenerated desc
| take 200 | Correct | 2 | 33.05s | 0.0092 |
| gpt-5-mini-low | Get-Date | let powershell_names = dynamic(["powershell","powershell.exe","powershell_ise.exe","pwsh","pwsh.exe"]);
let clock_patterns = dynamic([
"get-date",
"[datetime]::now",
"[system.datetime]::now",
"w32tm /query",
"get-uptime",
"get-ciminstance",
"get-wmiobject",
"get-computerinfo",
"(get-date)",
"csSystemBootTime"
]);
// Prefer DeviceProcessEvents for command line telemetry
let dpe = DeviceProcessEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName)
| where (
array_length(powershell_names) == 0
or (
tolower(FileName) contains "powershell"
or tolower(FileName) contains "pwsh"
or tolower(ProcessCommandLine) contains "powershell"
or tolower(ProcessCommandLine) contains "pwsh"
)
)
| extend cmd = tostring(ProcessCommandLine)
| where
tolower(cmd) contains "get-date"
or tolower(cmd) contains "[datetime]::now"
or tolower(cmd) contains "[system.datetime]::now"
or tolower(cmd) contains "w32tm /query"
or tolower(cmd) contains "get-uptime"
or tolower(cmd) contains "get-ciminstance"
or tolower(cmd) contains "get-wmiobject"
or tolower(cmd) contains "get-computerinfo"
or tolower(cmd) contains "(get-date)"
| extend matched =
iff(tolower(cmd) contains "get-date","get-date",
iff(tolower(cmd) contains "[datetime]::now","[datetime]::now",
iff(tolower(cmd) contains "[system.datetime]::now","[system.datetime]::now",
iff(tolower(cmd) contains "w32tm /query","w32tm /query",
iff(tolower(cmd) contains "get-uptime","get-uptime",
iff(tolower(cmd) contains "get-ciminstance","get-ciminstance",
iff(tolower(cmd) contains "get-wmiobject","get-wmiobject",
iff(tolower(cmd) contains "get-computerinfo","get-computerinfo","other"))))))))
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine=cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, matched;
let de = DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessCommandLine)
| where (
tolower(FileName) contains "powershell"
or tolower(FileName) contains "pwsh"
or tolower(ProcessCommandLine) contains "powershell"
or tolower(ProcessCommandLine) contains "pwsh"
or tolower(InitiatingProcessCommandLine) contains "powershell"
or tolower(InitiatingProcessCommandLine) contains "pwsh"
)
| extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine)
| extend cmd = tostring(CommandLine)
| where
tolower(cmd) contains "get-date"
or tolower(cmd) contains "[datetime]::now"
or tolower(cmd) contains "[system.datetime]::now"
or tolower(cmd) contains "w32tm /query"
or tolower(cmd) contains "get-uptime"
or tolower(cmd) contains "get-ciminstance"
or tolower(cmd) contains "get-wmiobject"
or tolower(cmd) contains "get-computerinfo"
or tolower(cmd) contains "(get-date)"
| extend matched =
iff(tolower(cmd) contains "get-date","get-date",
iff(tolower(cmd) contains "[datetime]::now","[datetime]::now",
iff(tolower(cmd) contains "[system.datetime]::now","[system.datetime]::now",
iff(tolower(cmd) contains "w32tm /query","w32tm /query",
iff(tolower(cmd) contains "get-uptime","get-uptime",
iff(tolower(cmd) contains "get-ciminstance","get-ciminstance",
iff(tolower(cmd) contains "get-wmiobject","get-wmiobject",
iff(tolower(cmd) contains "get-computerinfo","get-computerinfo","other"))))))))
| project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCreationTime, ProcessCommandLine=cmd, InitiatingProcessFileName, InitiatingProcessCommandLine, matched;
union dpe, de
| sort by TimeGenerated desc
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Count = count(), ExampleCommands = make_list(ProcessCommandLine, 5) by DeviceName, FileName, tostring(ProcessId), InitiatingProcessFileName, matched
| project FirstSeen, LastSeen, Count, DeviceName, FileName, ProcessId = tostring(ProcessId), InitiatingProcessFileName, matched, ExampleCommands
| top 100 by LastSeen desc | Correct | 5 | 76.03s | 0.0171 |
| gpt-5-mini-medium | Get-Date | DeviceProcessEvents
| where FileName in~ ("powershell.exe","pwsh.exe") or ProcessCommandLine has_any ("powershell","pwsh")
| where ProcessCommandLine matches regex @"(?i)\b(Get-Date|Get-Date\(|Get-WmiObject\s+Win32_LocalTime|Get-CimInstance\s+Win32_UTCTime|Get-CimInstance\s+Win32_LocalTime|\[DateTime\]::Now|w32tm\s+/query|Get-Culture|Get-TimeZone)\b"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend MatchedCommand = extract(@"(?i)(Get-Date\b.*|Get-WmiObject\s+Win32_LocalTime.*|Get-CimInstance\s+Win32_UTCTime.*|Get-CimInstance\s+Win32_LocalTime.*|\[DateTime\]::Now.*|w32tm\s+/query.*|Get-Culture.*|Get-TimeZone.*)", 0, ProcessCommandLine)
| where isnotempty(MatchedCommand)
| summarize count(), AnyCommandLines = make_set(ProcessCommandLine, 50) by DeviceName, AccountName, FileName, ProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by count_ desc
| project DeviceName, AccountName, FileName, ProcessId, count_, AnyCommandLines, InitiatingProcessFileName, InitiatingProcessCommandLine
| take 100 | Correct | 1 | 12.72s | 0.0034 |
| gpt-5-nano-high | Get-Date | DeviceProcessEvents
| where (InitiatingProcessFileName has_cs "powershell.exe" or InitiatingProcessFileName has_cs "pwsh.exe" or ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh")
| where (InitiatingProcessCommandLine has_cs "Get-Date" or InitiatingProcessCommandLine has_cs "[DateTime]::Now" or InitiatingProcessCommandLine has_cs "GetSystemTime" or InitiatingProcessCommandLine has_cs "GetSystemTimeAsFileTime" or ProcessCommandLine has_cs "Get-Date" or ProcessCommandLine has_cs "[DateTime]::Now" or ProcessCommandLine has_cs "GetSystemTime")
| extend CommandLineExecuted = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, CommandLineExecuted
| sort by TimeGenerated desc
| take 100 | Correct | 1 | 33.30s | 0.0024 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0059 |
| grok-3-beta | Get-Date | DeviceProcessEvents
| where FileName contains "powershell" or InitiatingProcessFileName contains "powershell"
| where ProcessCommandLine has_any ("Get-Date", "System.DateTime", "date", "time") or InitiatingProcessCommandLine has_any ("Get-Date", "System.DateTime", "date", "time")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCreationTime
| order by Timestamp desc | Correct | 1 | 8.65s | 0.0286 |
| grok-3-mini-beta | Get-Date | DeviceProcessEvents
| where FileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'Get-Date' or ProcessCommandLine contains '[DateTime]::Now' or ProcessCommandLine contains '[System.DateTime]::Now'
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 1 | 14.04s | 0.0016 |
| o1-high | Get-Date | DeviceProcessEvents
| where FileName =~ "powershell.exe" or ProcessCommandLine contains "powershell"
| where ProcessCommandLine contains "Get-Date"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | Correct | 1 | 28.95s | 0.2065 |
| o1-low | Get-Date | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("Get-Date", "Win32_LocalTime")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 25.09s | 0.1976 |
| o3-high | Get-Date | // ================================
// PowerShell activity that queries the system clock
// ================================
let date_time_terms = dynamic([
"get-date", // Native cmdlet
"get-wmiobject", "get-ciminstance", // WMI / CIM cmdlets
"win32_localtime", "win32_utctime", // WMI classes
"wmic path win32_localtime", "wmic path win32_utctime"
]);
DeviceProcessEvents
// --- portal will inject the time filter ---
| where FileName in~ ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any (date_time_terms)
// try to capture the first PS statement after -Command / -c
| extend _cmd = tostring(extract(@"(?i)(?:-command|-c)\s+['"" ]?([^'"" ]+.*)", 1, ProcessCommandLine))
| extend ExecutedCommand = case(
isnotempty(_cmd), _cmd,
ProcessCommandLine matches regex @"(?i)-encoded(command)?\b", "<encoded payload – decode manually>",
ProcessCommandLine
)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ExecutedCommand, ProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 87.04s | 0.0626 |
| o3-mini-high | Get-Date | DeviceProcessEvents
| where (FileName has "powershell.exe" or InitiatingProcessFileName has "powershell.exe")
| where ProcessCommandLine has "Get-Date"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine | Correct | 1 | 6.89s | 0.0086 |
| o3-mini-low | Get-Date | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) contains "powershell"
| where tolower(InitiatingProcessCommandLine) contains "get-date"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 12.86s | 0.0122 |
| o4-mini-high | Get-Date | DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
// look for commands that retrieve or query the system time
| where ProcessCommandLine has "get-date"
or ProcessCommandLine matches regex @"(?i)\[datetime\]::(Now|UtcNow)"
or ProcessCommandLine matches regex @"(?i)\bw32tm\b"
or ProcessCommandLine matches regex @"(?i)\bnet\s+time\b"
or ProcessCommandLine matches regex @"(?i)get-wmiobject.*time"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 2 | 50.71s | 0.0168 |
| o4-mini-low | Get-Date | DeviceProcessEvents
// Restrict to PowerShell executables
| where FileName in~ ("powershell.exe", "pwsh.exe")
// Look for the Get-Date cmdlet which retrieves the system clock
| where ProcessCommandLine has "Get-Date"
// Project the fields of interest
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 29.22s | 0.0083 |