Question Analysis

While reviewing Windows process events, you spot a PowerShell process executing a WMI enumeration cmdlet. What WMI class name did the attacker query?

b51239b4-0129-474f-a2b4-70f855b9f2c2

Question ID

6/16

Models Correct

Valid Answer

38%

Success Rate

Reference Answer

Human-validated correct answer for this question

Win32_Process

Model Performance Comparison

See how different AI models performed on this question

Model	Answer	KQL Query	Status	Attempts	Time	Cost
gemini-2.5-flash-preview-04-17	Win32_Process	DeviceProcessEvents \| where FileName =~ "powershell.exe" \| where ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "Get-CimInstance" \| extend WmiClassName = extract("(?i)-(Class\|ClassName)\\s+[\\\"\']?([^\\\"\']+)[\\\"\']?", 2, ProcessCommandLine) \| where isnotempty(WmiClassName) \| project Timestamp, DeviceName, ProcessCommandLine, WmiClassName	Correct	2	34.66s	0.0190
gpt-35-turbo	No answer provided	No query generated	Incorrect	5	0.00s	0.0113
gpt-4-turbo-2024-04-09	No answer provided	No query generated	Incorrect	5	0.00s	0.2403
gpt-4.1	Win32_Process	DeviceProcessEvents \| where FileName =~ "powershell.exe" \| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "wmic") \| extend WMIClass = extract(@'(?i)(Win32_[a-zA-Z0-9_]+)', 1, ProcessCommandLine) \| where isnotempty(WMIClass) \| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, WMIClass \| summarize count() by WMIClass	Correct	1	3.58s	0.0109
gpt-4.1-finetuned	No answer provided	No query generated	Incorrect	5	0.00s	0.0431
gpt-4.1-mini	No answer provided	No query generated	Incorrect	5	0.00s	0.0079
gpt-4.1-nano	No answer provided	No query generated	Incorrect	5	0.00s	0.0058
gpt-4o	No answer provided	No query generated	Incorrect	5	0.00s	0.0493
grok-3-beta	Win32_Process	DeviceProcessEvents \| where FileName has "powershell.exe" \| where ProcessCommandLine matches regex "(?i)(Get-WmiObject\|Invoke-WmiMethod).*?-Class\\s+[^\\s;]+" \| extend WMIClass = extract("(?i)-Class\\s+([^\\s;]+)", 1, ProcessCommandLine) \| where isnotempty(WMIClass) \| summarize Count = count() by WMIClass \| project WMIClass, Count	Correct	4	32.00s	0.0711
grok-3-mini-beta	No answer provided	No query generated	Incorrect	5	0.00s	0.0072
o1-high	Win32_Process	DeviceProcessEvents \| where FileName =~ "powershell.exe" \| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance") \| extend WmiClassName=extract(@"-Class\s+(\S+)", 1, ProcessCommandLine) \| project TimeGenerated, DeviceName, AccountName, WmiClassName, ProcessCommandLine \| order by TimeGenerated desc	Correct	2	89.94s	0.4221
o1-low	Win32_PerfFormattedData_PerfOS_System	DeviceProcessEvents \| where FileName =~ "powershell.exe" \| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "Invoke-WmiMethod", "win32_") \| extend WmiClassQueried = extract(@"(?i)(win32_\S+)", 0, ProcessCommandLine) \| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, WmiClassQueried \| order by TimeGenerated desc	Incorrect	1	35.02s	0.2462
o3-mini-high	No answer provided	No query generated	Incorrect	5	0.00s	0.0400
o3-mini-low	No answer provided	No query generated	Incorrect	5	0.00s	0.0380
o4-mini-high	Win32_Process	DeviceProcessEvents \| where FileName has_cs "powershell.exe" \| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi") \| extend WmiClass1 = extract("(?i)-Class\\s+['\\\"]?(Win32_[^\\s'\\\"]+)", 1, ProcessCommandLine) \| extend WmiClass2 = extract("(?i)FROM\\s+(Win32_[^\\s'\\\";,]+)", 1, ProcessCommandLine) \| extend WmiClass = coalesce(WmiClass1, WmiClass2) \| where isnotempty(WmiClass) \| summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by WmiClass \| project WmiClass, EventCount, FirstSeen, LastSeen \| order by EventCount desc	Correct	3	100.72s	0.0319
o4-mini-low	Win32_Process	DeviceProcessEvents \| where FileName =~ "powershell.exe" \| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance", "Invoke-WmiMethod") \| extend WmiClass = extract(@"(?i)(?:-ClassName\|-Class)\s+([A-Za-z0-9_:.]+)", 1, ProcessCommandLine) \| where isnotempty(WmiClass) \| project TimeGenerated, DeviceName, InitiatingProcessAccountName, WmiClass, ProcessCommandLine \| sort by TimeGenerated desc	Correct	1	30.57s	0.0108