// question
Using Windows process event logs, investigate PowerShell activity around lsass.exe memory capture. What was the name of the script file invoked to perform the dump?
Reference KQL answer and model-by-model comparison.
6502c8f0-b775-4dbd-9193-1298f56b6781
question id
10/22
models correct
1
valid answer
45%
success rate
// reference answer
Human-validated correct answer for this question.
Out-Minidump.ps1
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Out-Minidump.ps1 | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine contains "lsass"
| where ProcessCommandLine contains "dump" or ProcessCommandLine contains "minidump" or ProcessCommandLine contains "credential" or ProcessCommandLine contains "memory"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine | pass | 1 | 19.84s | 0.0068 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0115 |
| gpt-4-turbo-2024-04-09 | no answer | no query generated | fail | 5 | 0.00s | 0.2371 |
| gpt-4.1 | Out-Minidump.ps1 | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FileName) in ("powershell.exe", "pwsh.exe")
| where tolower(ProcessCommandLine) has_any ("lsass", "procdump", "minidump", "out-minidump", "sekurlsa")
| extend ScriptFile = extract(@"([\w\-\\.:]+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptFile)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ScriptFile
| order by TimeGenerated desc | pass | 3 | 15.20s | 0.0280 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0364 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0080 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0015 |
| gpt-4o | Out-Minidump.ps1 | DeviceProcessEvents | where InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine has "lsass" | extend ScriptFileName = FileName | pass | 1 | 5.43s | 0.0233 |
| gpt-5-high | Out-Minidump.ps1 | DeviceProcessEvents
| where FileName in~ ("rundll32.exe","procdump.exe","procdump64.exe","werfault.exe","taskmgr.exe","powershell.exe","pwsh.exe","powershell_ise.exe")
// Look for common lsass dump indicators
| where ProcessCommandLine has_any ("comsvcs.dll","MiniDump","lsass","lsass.exe","procdump",".dmp","-ma")
// Decide which command line to parse for the script: PowerShell's own CL or the initiator's CL
| extend RawCL = tostring(iif(FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe"), ProcessCommandLine, InitiatingProcessCommandLine))
// Extract a .ps1 path/token, then just the script file name
| extend ScriptPath = extract(@'(?i)([^\s"''<>|]+\.ps1)', 1, RawCL)
| extend ScriptFile = extract(@'(?i)([^\\/:]+\.ps1)$', 1, ScriptPath)
| where isnotempty(ScriptFile)
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ScriptFile
| order by Count desc, LastSeen desc
| take 1
| project ScriptFile | pass | 2 | 208.91s | 0.1032 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0195 |
| gpt-5-mini-low | Out-Minidump.ps1 | // Find PowerShell commands that reference lsass or procdump and extract invoked .ps1 script names let ps_cmds = DeviceProcessEvents | where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell" // look for signs of lsass memory dumping or a script invocation | where ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".ps1" | extend ScriptName = extract(@"(?i)([^\\\/\s]+\.ps1)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, ScriptName; // Find PowerShell-launched .ps1 files (file events) let ps_files = DeviceFileEvents | where FileName endswith_cs ".ps1" and (InitiatingProcessFileName has_cs "powershell" or InitiatingProcessCommandLine has_cs "powershell") | extend ScriptName = FileName | project FileTimeGenerated = TimeGenerated, DeviceName, ScriptName, FolderPath, FileOriginUrl, InitiatingProcessCommandLine; // Correlate and show results ps_cmds | join kind=leftouter (ps_files) on DeviceName, ScriptName | project TimeGenerated, FileTimeGenerated, DeviceName, AccountName, ScriptName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, FileOriginUrl | order by TimeGenerated desc | where isnotempty(ScriptName) | take 50 | pass | 1 | 32.50s | 0.0078 |
| gpt-5-mini-medium | Out-Minidump.ps1 | // PowerShell + lsass memory dump investigation
let indicators = dynamic(["lsass","lsass.exe","dump","procdump",".dmp","minidumpwritedump","comsvcs.dll","rundll32"]);
let proc = DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or ProcessCommandLine has_cs "powershell.exe" or ProcessCommandLine has_cs "pwsh.exe"
| where (
ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "lsass.exe" or
ProcessCommandLine has_cs "dump" or ProcessCommandLine has_cs "procdump" or
ProcessCommandLine has_cs ".dmp" or ProcessCommandLine has_cs "MiniDumpWriteDump" or
ProcessCommandLine has_cs "comsvcs.dll" or ProcessCommandLine has_cs "rundll32"
)
| extend Cmd = ProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = ProcessId, User = AccountName
| extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd)
| extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd)
| extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd)
| extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, ""))
| project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator;
let dev = DeviceEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| where isnotempty(InitiatingProcessCommandLine)
| where ActionType has_cs "ProcessCreated" or ActionType has_cs "Create" or ActionType has_cs "Process"
| where InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell.exe" or InitiatingProcessCommandLine has_cs "pwsh.exe"
| where (
InitiatingProcessCommandLine has_cs "lsass" or InitiatingProcessCommandLine has_cs "lsass.exe" or
InitiatingProcessCommandLine has_cs "dump" or InitiatingProcessCommandLine has_cs "procdump" or
InitiatingProcessCommandLine has_cs ".dmp" or InitiatingProcessCommandLine has_cs "MiniDumpWriteDump" or
InitiatingProcessCommandLine has_cs "comsvcs.dll" or InitiatingProcessCommandLine has_cs "rundll32"
)
| extend Cmd = InitiatingProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = InitiatingProcessId, User = InitiatingProcessAccountName
| extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd)
| extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd)
| extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd)
| extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, ""))
| project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator;
proc
| union dev
| summarize FirstSeen=min(Time), LastSeen=max(Time), Count=count(), SampleCmd=any(Cmd), SamplePotentialIndicator=any(PotentialIndicator) by Device, User, PID, ScriptName, EXEInvoked, DmpFile
| where Count > 0
| order by LastSeen desc
| top 100 by LastSeen
| project Device, User, PID, ScriptName, EXEInvoked, DmpFile, SamplePotentialIndicator, FirstSeen, LastSeen, Count | pass | 2 | 43.47s | 0.0076 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0116 |
| grok-3-beta | Out-Minidump.ps1 | DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or FileName =~ 'powershell.exe')
| where (ProcessCommandLine contains 'lsass' or InitiatingProcessCommandLine contains 'lsass')
| project
ScriptFileName = extract('([^ \"]*\\.ps1)', 1, ProcessCommandLine),
ProcessFileName = FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
AccountName,
AccountDomain,
DeviceName,
DeviceId,
Timestamp
| order by Timestamp desc | pass | 1 | 12.18s | 0.0242 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0079 |
| o1-high | Out-Minidump.ps1 | DeviceProcessEvents
| where (FileName == "powershell.exe" or InitiatingProcessFileName == "powershell.exe")
and (ProcessCommandLine has "lsass" or InitiatingProcessCommandLine has "lsass")
| extend InvokedScript = extract(@"([^\s]+\.ps1)",1,ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, InvokedScript, ProcessCommandLine, InitiatingProcessCommandLine | pass | 1 | 33.34s | 0.2002 |
| o1-low | Out-Minidump.ps1 | DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "lsass"
| extend ScriptFile = extract(@"(\S+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptFile)
| project TimeGenerated, DeviceName, AccountName, ScriptFile, ProcessCommandLine
| distinct ScriptFile | pass | 3 | 48.28s | 0.4114 |
| o3-high | Out-Minidump.ps1 | let ps_hosts = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]); let dump_keywords = dynamic(["lsass","minidump","comsvcs.dll","procdump","out-minidump"]); DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in~ (ps_hosts) | where ProcessCommandLine has_any (dump_keywords) | extend ScriptFile = extract(@'\S+\.ps1', 0, ProcessCommandLine) | where isnotempty(ScriptFile) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptFile | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices = make_set(DeviceName, 50) by ScriptFile | order by FirstSeen asc | pass | 4 | 123.77s | 0.0703 |
| o3-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0402 |
| o3-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0425 |
| o4-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0417 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0345 |