// question

Using Windows process event logs, investigate PowerShell activity around lsass.exe memory capture. What was the name of the script file invoked to perform the dump?

Reference KQL answer and model-by-model comparison.

6502c8f0-b775-4dbd-9193-1298f56b6781
question id
10/22
models correct
1
valid answer
45%
success rate
// reference answer

Human-validated correct answer for this question.

Out-Minidump.ps1
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
Out-Minidump.ps1
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine contains "lsass"
| where ProcessCommandLine contains "dump" or ProcessCommandLine contains "minidump" or ProcessCommandLine contains "credential" or ProcessCommandLine contains "memory"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
pass119.84s0.0068
gpt-35-turbo
no answer
no query generatedfail50.00s0.0115
gpt-4-turbo-2024-04-09
no answer
no query generatedfail50.00s0.2371
gpt-4.1
Out-Minidump.ps1
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where tolower(FileName) in ("powershell.exe", "pwsh.exe")
| where tolower(ProcessCommandLine) has_any ("lsass", "procdump", "minidump", "out-minidump", "sekurlsa")
| extend ScriptFile = extract(@"([\w\-\\.:]+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptFile)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ScriptFile
| order by TimeGenerated desc
pass315.20s0.0280
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0364
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0080
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0015
gpt-4o
Out-Minidump.ps1
DeviceProcessEvents
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has "lsass"
| extend ScriptFileName = FileName
pass15.43s0.0233
gpt-5-high
Out-Minidump.ps1
DeviceProcessEvents
| where FileName in~ ("rundll32.exe","procdump.exe","procdump64.exe","werfault.exe","taskmgr.exe","powershell.exe","pwsh.exe","powershell_ise.exe")
// Look for common lsass dump indicators
| where ProcessCommandLine has_any ("comsvcs.dll","MiniDump","lsass","lsass.exe","procdump",".dmp","-ma")
// Decide which command line to parse for the script: PowerShell's own CL or the initiator's CL
| extend RawCL = tostring(iif(FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe"), ProcessCommandLine, InitiatingProcessCommandLine))
// Extract a .ps1 path/token, then just the script file name
| extend ScriptPath = extract(@'(?i)([^\s"''<>|]+\.ps1)', 1, RawCL)
| extend ScriptFile = extract(@'(?i)([^\\/:]+\.ps1)$', 1, ScriptPath)
| where isnotempty(ScriptFile)
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ScriptFile
| order by Count desc, LastSeen desc
| take 1
| project ScriptFile
pass2208.91s0.1032
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0195
gpt-5-mini-low
Out-Minidump.ps1
// Find PowerShell commands that reference lsass or procdump and extract invoked .ps1 script names
let ps_cmds = DeviceProcessEvents
| where FileName has_cs "powershell" or InitiatingProcessFileName has_cs "powershell"
// look for signs of lsass memory dumping or a script invocation
| where ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "procdump" or ProcessCommandLine has_cs ".ps1"
| extend ScriptName = extract(@"(?i)([^\\\/\s]+\.ps1)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, ScriptName;

// Find PowerShell-launched .ps1 files (file events)
let ps_files = DeviceFileEvents
| where FileName endswith_cs ".ps1" and (InitiatingProcessFileName has_cs "powershell" or InitiatingProcessCommandLine has_cs "powershell")
| extend ScriptName = FileName
| project FileTimeGenerated = TimeGenerated, DeviceName, ScriptName, FolderPath, FileOriginUrl, InitiatingProcessCommandLine;

// Correlate and show results
ps_cmds
| join kind=leftouter (ps_files) on DeviceName, ScriptName
| project TimeGenerated, FileTimeGenerated, DeviceName, AccountName, ScriptName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine, FileOriginUrl
| order by TimeGenerated desc
| where isnotempty(ScriptName)
| take 50
pass132.50s0.0078
gpt-5-mini-medium
Out-Minidump.ps1
// PowerShell + lsass memory dump investigation
let indicators = dynamic(["lsass","lsass.exe","dump","procdump",".dmp","minidumpwritedump","comsvcs.dll","rundll32"]);

let proc = DeviceProcessEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "powershell" or ProcessCommandLine has_cs "pwsh" or ProcessCommandLine has_cs "powershell.exe" or ProcessCommandLine has_cs "pwsh.exe"
| where (
    ProcessCommandLine has_cs "lsass" or ProcessCommandLine has_cs "lsass.exe" or
    ProcessCommandLine has_cs "dump" or ProcessCommandLine has_cs "procdump" or
    ProcessCommandLine has_cs ".dmp" or ProcessCommandLine has_cs "MiniDumpWriteDump" or
    ProcessCommandLine has_cs "comsvcs.dll" or ProcessCommandLine has_cs "rundll32"
)
| extend Cmd = ProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = ProcessId, User = AccountName
| extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd)
| extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd)
| extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd)
| extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, ""))
| project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator;

let dev = DeviceEvents
| where TimeGenerated between (startofday(ago(7d)) .. now())
| where isnotempty(InitiatingProcessCommandLine)
| where ActionType has_cs "ProcessCreated" or ActionType has_cs "Create" or ActionType has_cs "Process"
| where InitiatingProcessCommandLine has_cs "powershell" or InitiatingProcessCommandLine has_cs "pwsh" or InitiatingProcessCommandLine has_cs "powershell.exe" or InitiatingProcessCommandLine has_cs "pwsh.exe"
| where (
    InitiatingProcessCommandLine has_cs "lsass" or InitiatingProcessCommandLine has_cs "lsass.exe" or
    InitiatingProcessCommandLine has_cs "dump" or InitiatingProcessCommandLine has_cs "procdump" or
    InitiatingProcessCommandLine has_cs ".dmp" or InitiatingProcessCommandLine has_cs "MiniDumpWriteDump" or
    InitiatingProcessCommandLine has_cs "comsvcs.dll" or InitiatingProcessCommandLine has_cs "rundll32"
)
| extend Cmd = InitiatingProcessCommandLine, Time = TimeGenerated, Device = DeviceName, PID = InitiatingProcessId, User = InitiatingProcessAccountName
| extend ScriptName = extract(@"(?i)([\w\-\.]+\.ps1)", 1, Cmd)
| extend EXEInvoked = extract(@"(?i)([\w\-\.]+\.(exe|dll|ps1))", 1, Cmd)
| extend DmpFile = extract(@"(?i)([\w\-\.]+\.dmp)", 1, Cmd)
| extend PotentialIndicator = trim('\"', coalesce(ScriptName, EXEInvoked, DmpFile, ""))
| project Time, Device, PID, User, Cmd, ScriptName, EXEInvoked, DmpFile, PotentialIndicator;

proc
| union dev
| summarize FirstSeen=min(Time), LastSeen=max(Time), Count=count(), SampleCmd=any(Cmd), SamplePotentialIndicator=any(PotentialIndicator) by Device, User, PID, ScriptName, EXEInvoked, DmpFile
| where Count > 0
| order by LastSeen desc
| top 100 by LastSeen
| project Device, User, PID, ScriptName, EXEInvoked, DmpFile, SamplePotentialIndicator, FirstSeen, LastSeen, Count
pass243.47s0.0076
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0116
grok-3-beta
Out-Minidump.ps1
DeviceProcessEvents
| where (InitiatingProcessFileName =~ 'powershell.exe' or FileName =~ 'powershell.exe')
| where (ProcessCommandLine contains 'lsass' or InitiatingProcessCommandLine contains 'lsass')
| project 
    ScriptFileName = extract('([^ \"]*\\.ps1)', 1, ProcessCommandLine),
    ProcessFileName = FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    AccountName,
    AccountDomain,
    DeviceName,
    DeviceId,
    Timestamp
| order by Timestamp desc
pass112.18s0.0242
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0079
o1-high
Out-Minidump.ps1
DeviceProcessEvents
| where (FileName == "powershell.exe" or InitiatingProcessFileName == "powershell.exe")
    and (ProcessCommandLine has "lsass" or InitiatingProcessCommandLine has "lsass")
| extend InvokedScript = extract(@"([^\s]+\.ps1)",1,ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, InvokedScript, ProcessCommandLine, InitiatingProcessCommandLine
pass133.34s0.2002
o1-low
Out-Minidump.ps1
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "lsass"
| extend ScriptFile = extract(@"(\S+\.ps1)", 1, ProcessCommandLine)
| where isnotempty(ScriptFile)
| project TimeGenerated, DeviceName, AccountName, ScriptFile, ProcessCommandLine
| distinct ScriptFile
pass348.28s0.4114
o3-high
Out-Minidump.ps1
let ps_hosts      = dynamic(["powershell.exe","pwsh.exe","powershell_ise.exe"]);
let dump_keywords = dynamic(["lsass","minidump","comsvcs.dll","procdump","out-minidump"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ (ps_hosts)
| where ProcessCommandLine has_any (dump_keywords)
| extend ScriptFile = extract(@'\S+\.ps1', 0, ProcessCommandLine)
| where isnotempty(ScriptFile)
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ScriptFile
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Devices = make_set(DeviceName, 50) by ScriptFile
| order by FirstSeen asc
pass4123.77s0.0703
o3-mini-high
no answer
no query generatedfail50.00s0.0402
o3-mini-low
no answer
no query generatedfail50.00s0.0425
o4-mini-high
no answer
no query generatedfail50.00s0.0417
o4-mini-low
no answer
no query generatedfail50.00s0.0345