Question Analysis
While reviewing Windows process events, you spot a PowerShell process executing a WMI enumeration cmdlet. What WMI class name did the attacker query?
b51239b4-0129-474f-a2b4-70f855b9f2c2
Question ID
8/23
Models Correct
1
Valid Answer
35%
Success Rate
Reference Answer
Human-validated correct answer for this question
Win32_Process
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | Win32_Process | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Get-WmiObject" or ProcessCommandLine has "Get-CimInstance"
| extend WmiClassName = extract("(?i)-(Class|ClassName)\\s+[\\\"\']?([^\\\"\']+)[\\\"\']?", 2, ProcessCommandLine)
| where isnotempty(WmiClassName)
| project Timestamp, DeviceName, ProcessCommandLine, WmiClassName | Correct | 2 | 34.66s | 0.0190 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0113 |
| gpt-4-turbo-2024-04-09 | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.2403 |
| gpt-4.1 | Win32_Process | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "wmic")
| extend WMIClass = extract(@'(?i)(Win32_[a-zA-Z0-9_]+)', 1, ProcessCommandLine)
| where isnotempty(WMIClass)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, WMIClass
| summarize count() by WMIClass | Correct | 1 | 3.58s | 0.0109 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0431 |
| gpt-4.1-mini | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0079 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0058 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0493 |
| gpt-5-high | Win32_Group | let wmi_cmdlets = dynamic(["get-wmiobject","gwmi","get-ciminstance","gcim"]);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe")
| where ProcessCommandLine has_any (wmi_cmdlets)
// Extract class from -Class / -ClassName
| extend class_from_param = extract(@"(?i)-(?:class|classname)\s*(?::|=|\s)\s*['""]?((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)", 1, ProcessCommandLine)
// Extract class from a WQL -Query '... from <Class>'
| extend class_from_query = extract(@"(?i)-query\s+.*?\bfrom\s+((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)", 1, ProcessCommandLine)
// Extract class when passed positionally right after the cmdlet (e.g., gwmi Win32_Process)
| extend class_from_pos = extract(@"(?i)\b(?:get-wmiobject|gwmi|get-ciminstance|gcim)\s+['""]?((?:[A-Za-z]+\\[\w\\]+:)?[A-Za-z_][\w\.]+)\b", 1, ProcessCommandLine)
// Capture -Namespace if present to qualify class when needed
| extend ns = extract(@"(?i)-namespace\s*(?::|=|\s)\s*['""]?([A-Za-z]+\\[\w\\]+)", 1, ProcessCommandLine)
| extend WmiClassRaw = coalesce(class_from_param, class_from_query, class_from_pos)
| extend WmiClass = iff(isnotempty(ns) and isnotempty(WmiClassRaw) and not(WmiClassRaw contains ":"), strcat(ns, ":", WmiClassRaw), WmiClassRaw)
| where isnotempty(WmiClass)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, WmiClass
| summarize EventCount = count(), Examples = make_set(ProcessCommandLine, 3) by WmiClass
| order by EventCount desc | Incorrect | 3 | 219.25s | 0.1513 |
| gpt-5-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0188 |
| gpt-5-mini-low | Win32_Process | DeviceProcessEvents
| where tolower(FileName) in ("powershell.exe","pwsh.exe")
| where tostring(ProcessCommandLine) has_any ("get-wmiobject","get-ciminstance","get-cimclass","gwmi","managementobjectsearcher","select","-class","-classname","-query")
| extend cmdline = tostring(ProcessCommandLine)
// Try multiple case-insensitive regex patterns to extract the WMI class name
| extend WmiClass = coalesce(
extract(@"(?i)-ClassName\s+([A-Za-z0-9_:\.\-]+)", 1, cmdline),
extract(@"(?i)-Class\s+([A-Za-z0-9_:\.\-]+)", 1, cmdline),
extract(@"(?i)gwmi\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline),
extract(@"(?i)get-wmiobject\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline),
extract(@"(?i)\bfrom\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline),
extract(@"(?i)-Query\s+select\b.*?\bfrom\s+([A-Za-z0-9_:\.\-]+)\b", 1, cmdline)
)
| extend WmiClass = trim('\"\' ', tostring(WmiClass))
| where isnotempty(WmiClass)
| summarize Count = count(), ExampleCommand = any(cmdline), Devices = make_set(DeviceName, 10) by WmiClass
| order by Count desc
| project WmiClass, Count, ExampleCommand, Devices
| Correct | 5 | 84.64s | 0.0188 |
| gpt-5-mini-medium | Win32_Process | // Find PowerShell processes invoking WMI cmdlets and extract the WMI class name
union DeviceProcessEvents, DeviceEvents
| where ProcessCommandLine has_any ("powershell","pwsh")
| where ProcessCommandLine has_any ("Get-WmiObject","Get-CimInstance","Get-CimClass","gwmi","get-wmiobject","get-ciminstance")
| extend CommandLine = ProcessCommandLine
// Try -Class, then -Query SELECT ... FROM, then generic FROM
| extend WMI_Class = coalesce(
extract(@"(?i)-Class\s+([A-Za-z0-9_\.]+)", 1, CommandLine),
extract(@"(?i)-Query\s+SELECT\b.*?\bFROM\s+([A-Za-z0-9_\.]+)", 1, CommandLine),
extract(@"(?i)\bFROM\s+([A-Za-z0-9_\.]+)", 1, CommandLine)
)
// Normalize: remove any surrounding/embedded chars that aren't part of a class name
| extend WMI_Class = replace_regex(WMI_Class, "[^A-Za-z0-9_\\.]", "")
| where isnotempty(WMI_Class)
| project TimeGenerated, DeviceName, ProcessId, FileName, AccountName, InitiatingProcessAccountName, CommandLine, WMI_Class
| order by TimeGenerated desc
| distinct DeviceName, ProcessId, CommandLine, WMI_Class, TimeGenerated, AccountName
| take 200 | Correct | 5 | 95.99s | 0.0235 |
| gpt-5-nano-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0096 |
| gpt-5-nano-medium | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0075 |
| grok-3-beta | Win32_Process | DeviceProcessEvents
| where FileName has "powershell.exe"
| where ProcessCommandLine matches regex "(?i)(Get-WmiObject|Invoke-WmiMethod).*?-Class\\s+[^\\s;]+"
| extend WMIClass = extract("(?i)-Class\\s+([^\\s;]+)", 1, ProcessCommandLine)
| where isnotempty(WMIClass)
| summarize Count = count() by WMIClass
| project WMIClass, Count | Correct | 4 | 32.00s | 0.0711 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0072 |
| o1-high | Win32_Process | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance")
| extend WmiClassName=extract(@"-Class\s+(\S+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, WmiClassName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 2 | 89.94s | 0.4221 |
| o1-low | Win32_PerfFormattedData_PerfOS_System | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "Invoke-WmiMethod", "win32_")
| extend WmiClassQueried = extract(@"(?i)(win32_\S+)", 0, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, WmiClassQueried
| order by TimeGenerated desc | Incorrect | 1 | 35.02s | 0.2462 |
| o3-high | win32_group | DeviceProcessEvents
| where FileName has_any ('powershell.exe', 'pwsh.exe')
| where ProcessCommandLine has_any ('get-wmiobject', 'gwmi', 'get-ciminstance')
// Extract the WMI class either passed via -Class or referenced directly (Win32_*/MSFT_*)
| extend WmiClass = coalesce(
extract('-class\\s+[\'\"]?([A-Za-z0-9_]+)', 1, tolower(ProcessCommandLine)),
extract('(win32_[a-z0-9_]+|msft_[a-z0-9_]+)', 1, tolower(ProcessCommandLine))
)
| where isnotempty(WmiClass)
| summarize FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
ExecCount = count()
by WmiClass, DeviceName, AccountName
| order by ExecCount desc, LastSeen desc | Incorrect | 4 | 126.20s | 0.0680 |
| o3-mini-high | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0400 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0380 |
| o4-mini-high | Win32_Process | DeviceProcessEvents
| where FileName has_cs "powershell.exe"
| where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi")
| extend WmiClass1 = extract("(?i)-Class\\s+['\\\"]?(Win32_[^\\s'\\\"]+)", 1, ProcessCommandLine)
| extend WmiClass2 = extract("(?i)FROM\\s+(Win32_[^\\s'\\\";,]+)", 1, ProcessCommandLine)
| extend WmiClass = coalesce(WmiClass1, WmiClass2)
| where isnotempty(WmiClass)
| summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by WmiClass
| project WmiClass, EventCount, FirstSeen, LastSeen
| order by EventCount desc | Correct | 3 | 100.72s | 0.0319 |
| o4-mini-low | Win32_Process | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("Get-WmiObject", "gwmi", "Get-CimInstance", "Invoke-WmiMethod")
| extend WmiClass = extract(@"(?i)(?:-ClassName|-Class)\s+([A-Za-z0-9_:.]+)", 1, ProcessCommandLine)
| where isnotempty(WmiClass)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, WmiClass, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 1 | 30.57s | 0.0108 |