Question Analysis
Review Windows process execution logs to find any native utility that was used to enumerate connected drives. Which utility was invoked?
424e18fd-48b8-4201-8d3a-bf591523a686
Question ID
3/16
Models Correct
1
Valid Answer
19%
Success Rate
Reference Answer
Human-validated correct answer for this question
fsutil
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | net.exe | DeviceProcessEvents
| where FileName in~ ("wmic.exe", "powershell.exe", "net.exe", "fsutil.exe")
| where (FileName =~ "wmic.exe" and ProcessCommandLine contains "logicaldisk get caption")
or (FileName =~ "powershell.exe" and ProcessCommandLine contains "Get-PSDrive" and ProcessCommandLine contains "FileSystem")
or (FileName =~ "net.exe" and ProcessCommandLine contains "use")
or (FileName =~ "fsutil.exe" and ProcessCommandLine contains "fsinfo drives")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | Incorrect | 1 | 21.19s | 0.0106 |
| gpt-35-turbo | net use | DeviceProcessEvents
| where ProcessCommandLine contains 'net use' or ProcessCommandLine contains 'wmic logicaldisk list'
| project ProcessCommandLine, TimeGenerated | Incorrect | 1 | 4.08s | 0.0025 |
| gpt-4-turbo-2024-04-09 | net | DeviceProcessEvents
| where ActionType == 'ProcessCreated'
| where (ProcessCommandLine has 'diskpart' and (ProcessCommandLine has_any('list', 'volume', 'disk')))
or (ProcessCommandLine has 'wmic' and (ProcessCommandLine has 'logicaldisk' or ProcessCommandLine has 'volume'))
or (ProcessCommandLine has 'net' and ProcessCommandLine has 'use')
| project DeviceId, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, TimeGenerated | Incorrect | 5 | 35.79s | 0.2400 |
| gpt-4.1 | fsutil.exe | DeviceProcessEvents
| where FileName in~ ("wmic.exe", "diskpart.exe", "mountvol.exe", "fsutil.exe", "cmd.exe", "powershell.exe")
| where ProcessCommandLine has_any ("logicaldisk", "list disk", "list volume", "mountvol", "fsutil", "drives", "get-psdrive")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 3 | 13.03s | 0.0281 |
| gpt-4.1-finetuned | net.exe | DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName == "net.exe" or FileName == "net1.exe")
| extend cmd = tostring(split(ProcessCommandLine, "/")[0])
| where cmd contains "use"
| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FileName, InitiatingProcessAccountDomain
| extend Account = strcat(InitiatingProcessAccountDomain, "/", InitiatingProcessAccountName)
| Incorrect | 2 | 17.10s | 0.0236 |
| gpt-4.1-mini | fsutil | DeviceProcessEvents
| where ProcessCommandLine has_any ("mountvol", "net use", "wmic logicaldisk", "fsutil fsinfo drives") or FileName has_any ("mountvol.exe", "net.exe", "wmic.exe", "fsutil.exe")
| extend Utility = case(
FileName has "mountvol", "mountvol",
FileName has "net", "net",
FileName has "wmic", "wmic",
FileName has "fsutil", "fsutil",
"Other"
)
| summarize Count = count(), Earliest = min(TimeGenerated), Latest = max(TimeGenerated) by Utility
| where Utility != "Other" | Correct | 1 | 18.61s | 0.0024 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0016 |
| gpt-4o | wmic | DeviceProcessEvents
| where FileName in ("cmd.exe", "powershell.exe", "wmic.exe", "diskpart.exe")
| where isnotempty(ProcessCommandLine) and (ProcessCommandLine has_any ("list", "select", "disk", "volume", "get", "drive"))
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | Incorrect | 2 | 28.39s | 0.0499 |
| grok-3-beta | fsutil.exe | DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName in ('diskpart.exe', 'fsutil.exe', 'wmic.exe') or InitiatingProcessFileName in ('diskpart.exe', 'fsutil.exe', 'wmic.exe')
| project UtilityName = FileName, CommandLine = ProcessCommandLine, DeviceName, AccountName, ProcessCreationTime
| order by ProcessCreationTime desc | Correct | 3 | 20.65s | 0.0556 |
| grok-3-mini-beta | powershell.exe, cmd.exe | DeviceProcessEvents
| where ProcessCommandLine contains "logicaldisk" or ProcessCommandLine contains "drives" or ProcessCommandLine contains "mountvol" or ProcessCommandLine contains "net use"
| distinct FileName | Incorrect | 1 | 18.30s | 0.0015 |
| o1-high | net | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("cmd.exe", "powershell.exe", "net.exe", "wmic.exe", "fsutil.exe", "diskpart.exe", "mountvol.exe")
| where ProcessCommandLine has_any ("net use", "wmic logicaldisk", "Get-WmiObject Win32_LogicalDisk", "Get-PSDrive", "fsutil volume", "diskpart", "mountvol")
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine
| order by TimeGenerated desc | Incorrect | 1 | 33.88s | 0.2580 |
| o1-low | net | // Search process execution events for enumerating drives (e.g., using net.exe, mountvol.exe, wmic.exe)
DeviceProcessEvents
| where // Filter for timeframe in portal. E.g., TimeGenerated >= startofday(ago(7d))
(FileName in~ ("net.exe", "wmic.exe", "mountvol.exe", "cmd.exe", "powershell.exe"))
and (
ProcessCommandLine has "net use"
or ProcessCommandLine has "wmic logicaldisk"
or ProcessCommandLine has "mountvol"
or ProcessCommandLine has "Get-PSDrive"
)
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine
| order by TimeGenerated desc
| Incorrect | 1 | 34.15s | 0.2338 |
| o3-mini-high | net.exe | DeviceProcessEvents
| where FileName in~ ("net.exe", "wmic.exe", "diskpart.exe", "fsutil.exe", "vol.exe")
| where ProcessCommandLine has_any ("use", "logicaldisk", "list", "drive")
| summarize EventCount=count() by FileName, ProcessCommandLine
| sort by EventCount desc | Incorrect | 1 | 34.48s | 0.0089 |
| o3-mini-low | net.exe | DeviceProcessEvents
| where tolower(InitiatingProcessFileName) in ("wmic.exe", "fsutil.exe", "net.exe")
| where tolower(InitiatingProcessCommandLine) contains "logicaldisk" or
tolower(InitiatingProcessCommandLine) contains "drives" or
tolower(InitiatingProcessCommandLine) contains "use"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| summarize Count = count() by InitiatingProcessFileName, bin(TimeGenerated, 1h)
| sort by TimeGenerated desc | Incorrect | 4 | 50.52s | 0.0348 |
| o4-mini-high | cmd.exe | DeviceProcessEvents
| where ProcessCommandLine has_any ("logicaldisk", "fsinfo", "Get-PSDrive", "net use", "mountvol", "list volume")
| summarize InvocationCount = count() by FileName
| order by InvocationCount desc | Incorrect | 1 | 43.47s | 0.0139 |
| o4-mini-low | net.exe | DeviceProcessEvents
| where FileName in~ ("fsutil.exe", "mountvol.exe", "diskpart.exe", "wmic.exe", "powershell.exe", "net.exe")
// Identify only those invocations that enumerate connected drives
| where (tolower(FileName) == "fsutil.exe" and ProcessCommandLine has "fsinfo drives")
or (tolower(FileName) == "mountvol.exe")
or (tolower(FileName) == "diskpart.exe" and ProcessCommandLine has_any ("list disk", "list volume"))
or (tolower(FileName) == "wmic.exe" and ProcessCommandLine has "logicaldisk")
or (tolower(FileName) == "powershell.exe"and ProcessCommandLine has "get-psdrive")
or (tolower(FileName) == "net.exe" and ProcessCommandLine has "use")
| project Timestamp, DeviceName, Utility=FileName, Command=ProcessCommandLine
| summarize UsageCount = count(), SampleDevices = make_set(DeviceName, 5), SampleCommands = make_set(Command, 5) by Utility
| sort by UsageCount desc | Incorrect | 3 | 62.71s | 0.0216 |