Question Analysis
Windows system logs show PowerShell zipping up the contents of a user’s profile folder. Investigate process and file events to determine the exact name of the ZIP archive created.
41410c60-614d-4b9d-b66e-b0192dd9c597
Question ID
9/16
Models Correct
1
Valid Answer
56%
Success Rate
Reference Answer
Human-validated correct answer for this question
T1560-data-ps.zip
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | T1560-data-ps.zip | DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".zip"
| where InitiatingProcessFileName =~ "powershell.exe"
| where InitiatingProcessCommandLine has "Compress-Archive" or InitiatingProcessCommandLine has ".Compression.FileSystem"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, FolderPath, InitiatingProcessAccountName | Correct | 1 | 14.39s | 0.0074 |
| gpt-35-turbo | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0112 |
| gpt-4-turbo-2024-04-09 | T1560-data-ps.zip | DeviceProcessEvents
| where InitiatingProcessFileName == 'powershell.exe' and ProcessCommandLine has 'Compress-Archive'
| project DeviceId, ProcessId, ProcessCreationTime, ProcessCommandLine
| join kind=inner (
DeviceFileEvents
| where ActionType == 'FileCreated' and FileName endswith '.zip'
) on DeviceId
| project FileName, ProcessCommandLine, TimeGenerated | Correct | 1 | 11.39s | 0.0602 |
| gpt-4.1 | T1560-data-ps.zip | DeviceFileEvents
| where ActionType == "FileCreated"
// Focus on ZIP archive creations
| where FileName endswith ".zip"
// Initiated by PowerShell
| where InitiatingProcessFileName =~ "powershell.exe"
// Profile folder paths typically contain '\Users\' or similar.
| where FolderPath has "\\Users\\"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain
| sort by TimeGenerated desc | Correct | 1 | 5.99s | 0.0152 |
| gpt-4.1-finetuned | T1560-data-ps.zip | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has @".zip"
| take 100
| Correct | 4 | 15.73s | 0.0361 |
| gpt-4.1-mini | T1560-data-ps.zip | DeviceFileEvents
| where InitiatingProcessFileName has "powershell.exe" and FileName endswith ".zip"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, FolderPath
| order by TimeGenerated desc
| take 10 | Correct | 1 | 2.94s | 0.0029 |
| gpt-4.1-nano | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0020 |
| gpt-4o | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0585 |
| grok-3-beta | chrome.zip | let TimeRange = ago(7d);
DeviceProcessEvents
| where TimeGenerated >= TimeRange
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('Compress-Archive', 'zip', 'DestinationPath', '-Path')
| project ProcessTimestamp=Timestamp, DeviceId, DeviceName, InitiatingProcessId, ProcessCommandLine, ProcessCreationTime
| join kind=leftouter (
DeviceFileEvents
| where TimeGenerated >= TimeRange
| where FileName endswith '.zip'
| where ActionType == 'FileCreated'
| project FileTimestamp=Timestamp, DeviceId, FileName, FolderPath
) on DeviceId
| where FileTimestamp between (ProcessCreationTime .. timespan(10m))
| project ProcessTimestamp, DeviceName, FileName, FolderPath, ProcessCommandLine
| order by ProcessTimestamp desc | Incorrect | 4 | 52.33s | 0.0981 |
| grok-3-mini-beta | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0077 |
| o1-high | T1560-data-ps.zip | DeviceProcessEvents
| where FileName =~ "powershell.exe"
| project DeviceId,
HostName=DeviceName,
PSPID=ProcessId,
PSCommandLine=ProcessCommandLine,
PSTime=TimeGenerated
| join kind=inner (
DeviceFileEvents
| where ActionType == "FileCreated" and FileName endswith ".zip"
| project DeviceId,
FileCreatedTime=TimeGenerated,
ZipFolderPath=FolderPath,
ZipFileName=FileName,
ParentPID=InitiatingProcessId
) on $left.DeviceId == $right.DeviceId and $left.PSPID == $right.ParentPID
| project FileCreatedTime,
HostName,
ZipFolderPath,
ZipFileName,
PSCommandLine
| order by FileCreatedTime desc | Correct | 3 | 120.05s | 0.6092 |
| o1-low | T1560-data-ps.zip | DeviceFileEvents
| where ActionType in ("FileCreated", "FileCreatedOrModified")
| where FolderPath startswith "C:\\Users\\"
| where FileName endswith ".zip"
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessCommandLine has "powershell"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, InitiatingProcessAccountName
| order by TimeGenerated desc | Correct | 1 | 27.47s | 0.2247 |
| o3-mini-high | T1560-data-ps.zip | union
(DeviceProcessEvents
| where InitiatingProcessCommandLine has "powershell"
| where InitiatingProcessCommandLine has "Compress-Archive"
),
(DeviceFileEvents
| where FileName endswith ".zip"
| where FolderPath has "C:\\Users\\"
)
| project TimeGenerated, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine, SourceSystem, Type
| sort by TimeGenerated desc | Correct | 1 | 15.23s | 0.0125 |
| o3-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0488 |
| o4-mini-high | T1560-data-ps.zip | let CompressEvents =
DeviceProcessEvents
// Identify PowerShell compress-archive commands
| where FileName == "powershell.exe"
| where ProcessCommandLine has "Compress-Archive"
| project
DeviceId,
DeviceName,
CompressProcessId = ProcessId,
CompressTime = TimeGenerated,
User = AccountName,
CommandLine = ProcessCommandLine;
let ZipFileCreations =
DeviceFileEvents
// Capture created ZIP files
| where ActionType in ("Created", "FileCreated")
| where FileName endswith ".zip"
| project
DeviceId,
ZipCreationTime = TimeGenerated,
InitiatingProcessId,
ZipFileName = FileName,
ZipFullPath = strcat(FolderPath, "\\", FileName);
// Correlate the compress command with the ZIP file creation
CompressEvents
| join kind=inner ZipFileCreations
on $left.DeviceId == $right.DeviceId
and $left.CompressProcessId == $right.InitiatingProcessId
| project
ZipCreationTime,
DeviceId,
DeviceName,
User,
ZipFileName,
ZipFullPath,
CommandLine
| sort by ZipCreationTime desc | Correct | 2 | 76.91s | 0.0140 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0585 |