// question
Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts.
Reference KQL answer and model-by-model comparison.
4588d243-f24e-4549-b2e3-e627acc089f6
question id
19/23
models correct
1
valid answer
83%
success rate
// reference answer
Human-validated correct answer for this question.
net accounts
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | net accounts | DeviceProcessEvents | where FileName == "net.exe" | where ProcessCommandLine has "accounts" | project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, AccountDomain | pass | 2 | 9.89s | 0.0033 |
| gpt-35-turbo | net accounts | DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project DeviceName, ProcessId, ProcessCommandLine, ProcessCreationTime | pass | 1 | 2.83s | 0.0023 |
| gpt-4-turbo-2024-04-09 | net accounts | DeviceProcessEvents | where ProcessCommandLine has 'net accounts' or ProcessCommandLine has 'net user' | project DeviceName, DeviceId, ProcessCommandLine, TimeGenerated | pass | 1 | 9.88s | 0.0543 |
| gpt-4.1 | net accounts | DeviceProcessEvents | where (FileName =~ "net.exe" and ProcessCommandLine has "accounts") or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | pass | 1 | 5.29s | 0.0117 |
| gpt-4.1-finetuned | no answer | no query generated | fail | 5 | 0.00s | 0.0473 |
| gpt-4.1-mini | net accounts | DeviceProcessEvents
| where ProcessCommandLine has_any ("net accounts", "secpol.msc", "net user", "gpresult", "net user /domain")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc | pass | 1 | 24.48s | 0.0023 |
| gpt-4.1-nano | net accounts | DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project TimeGenerated, DeviceName, ProcessCommandLine | pass | 1 | 1.44s | 0.0005 |
| gpt-4o | net accounts | DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("net accounts", "secedit")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountUpn | pass | 1 | 4.22s | 0.0147 |
| gpt-5-high | net | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| extend FileLower = tolower(FileName), CmdLower = tolower(ProcessCommandLine)
| where (FileLower in ("net.exe", "net1.exe") and CmdLower matches regex @"\bnet(1|\.exe)?\s+accounts(\s|$)")
or (FileLower == "secedit.exe" and CmdLower has_any (" /export", " -export"))
| extend PolicyScope = iif(CmdLower has "/domain", "Domain", "Local")
| extend Method = case(
FileLower in ("net.exe", "net1.exe"), "Listed password policy via 'net accounts'",
FileLower == "secedit.exe", "Exported local security policy via 'secedit /export'",
"Other")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, PolicyScope, Method,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc | fail | 1 | 94.58s | 0.0473 |
| gpt-5-mini-high | net accounts | (DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "net accounts" or ProcessCommandLine has_cs "secedit" or ProcessCommandLine has_cs "net user" or ProcessCommandLine has_cs "gpresult" or ProcessCommandLine has_cs "Get-LocalUser" or ProcessCommandLine has_cs "Get-LocalGroup" or ProcessCommandLine has_cs "net accounts /domain" or ProcessCommandLine has_cs "net accounts /minpwlen"
| extend CommandLine = ProcessCommandLine, Source = "DeviceProcessEvents" )
| union (
DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)
| extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), Source = "DeviceEvents"
| where CommandLine has_cs "net accounts" or CommandLine has_cs "secedit" or CommandLine has_cs "net user" or CommandLine has_cs "gpresult" or CommandLine has_cs "Get-LocalUser" or CommandLine has_cs "Get-LocalGroup" or CommandLine has_cs "net accounts /domain" or CommandLine has_cs "net accounts /minpwlen"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceId, DeviceName, AccountName = coalesce(InitiatingProcessAccountName, AccountName, "-"), CommandLine, Source
| order by LastSeen desc
| project LastSeen, FirstSeen, Count, DeviceName, DeviceId, AccountName, CommandLine, Source
| pass | 1 | 17.10s | 0.0052 |
| gpt-5-mini-low | net accounts | // Search for commands that list local or domain password policy settings
let keywords = dynamic(["net accounts","secedit /export","secedit /configure","secedit /export /cfg","gpresult /r","gpresult /h","auditpol /get","net user","get-localuser","get-localgroup","get-addefaultdomainpasswordpolicy","net accounts /domain"]);
// Process events with explicit ProcessCommandLine
let procEvents = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| extend cmd = tolower(ProcessCommandLine)
| where cmd contains "net accounts"
or cmd contains "secedit /export"
or cmd contains "secedit /configure"
or cmd contains "secedit /export /cfg"
or cmd contains "gpresult /r"
or cmd contains "gpresult /h"
or cmd contains "auditpol /get"
or cmd contains "net user"
or cmd contains "get-localuser"
or cmd contains "get-localgroup"
or cmd contains "get-addefaultdomainpasswordpolicy"
or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;
// Generic DeviceEvents which may store commandline in different fields
let devEvents = DeviceEvents
| extend cmd = coalesce(tolower(InitiatingProcessCommandLine), tolower(ProcessCommandLine), tolower(tostring(AdditionalFields.CommandLine)))
| where isnotempty(cmd)
| where cmd contains "net accounts"
or cmd contains "secedit /export"
or cmd contains "secedit /configure"
or cmd contains "secedit /export /cfg"
or cmd contains "gpresult /r"
or cmd contains "gpresult /h"
or cmd contains "auditpol /get"
or cmd contains "net user"
or cmd contains "get-localuser"
or cmd contains "get-localgroup"
or cmd contains "get-addefaultdomainpasswordpolicy"
or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = cmd, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;
// Combine and summarize
procEvents
| union devEvents
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, DeviceId, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by LastSeen desc
| limit 100
| pass | 2 | 46.44s | 0.0113 |
| gpt-5-mini-medium | net accounts | let pattern = @"(?i)\b(net accounts|net\s+user\b|secedit\s*/?(?:export|configure)|gpresult\b|get-localuser\b|get-localgroup\b)\b";
union isfuzzy=true
(
DeviceProcessEvents
| extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
| where isnotempty(Cmd) and Cmd matches regex pattern
| extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId, InitiatingProcessId, ReportId, FileName
),
(
DeviceEvents
| extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
| where isnotempty(Cmd) and Cmd matches regex pattern
| extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId = InitiatingProcessId, InitiatingProcessId = InitiatingProcessParentId, ReportId, FileName
)
| sort by TimeGenerated desc
| take 500
| pass | 2 | 44.97s | 0.0114 |
| gpt-5-nano-high | netaccounts | DeviceProcessEvents | where tolower(InitiatingProcessCommandLine) contains "net accounts" or tolower(ProcessCommandLine) contains "net accounts" or (tolower(InitiatingProcessFileName) == "net.exe" and tolower(InitiatingProcessCommandLine) contains "accounts") | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName | sort by TimeGenerated desc | fail | 1 | 31.58s | 0.0024 |
| gpt-5-nano-medium | cmd.exe /c net accounts | DeviceProcessEvents | where InitiatingProcessFileName endswith 'net.exe' or InitiatingProcessCommandLine contains 'net accounts' or ProcessCommandLine contains 'net accounts' | extend CommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCreationTime, CommandLine | order by TimeGenerated desc | pass | 1 | 37.65s | 0.0024 |
| grok-3-beta | net accounts | DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc | pass | 1 | 8.69s | 0.0196 |
| grok-3-mini-beta | net accounts | DeviceProcessEvents | where ActionType == 'ProcessCreated' and (ProcessCommandLine contains 'net accounts') | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | summarize arg_max(TimeGenerated, *) by DeviceName, ProcessCommandLine | order by TimeGenerated desc | limit 100 | pass | 1 | 12.15s | 0.0016 |
| o1-high | net accounts | DeviceProcessEvents | where FileName =~ "net.exe" | where ProcessCommandLine has "accounts" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc | pass | 1 | 36.33s | 0.2712 |
| o1-low | net | DeviceProcessEvents | where ProcessCommandLine has '\net accounts' or (FileName =~ 'net.exe' and ProcessCommandLine has 'accounts') | project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, FolderPath, FileName | order by TimeGenerated desc | pass | 1 | 33.33s | 0.1685 |
| o3-high | net accounts | // Password-policy enumeration using native Windows commands
DeviceProcessEvents
| where ActionType == "ProcessCreated" // only new processes
// Look for commands that dump local password policy (case-insensitive)
| where (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has_cs "accounts")
or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export" and ProcessCommandLine has "/cfg")
// Surface the most relevant context
| project TimeGenerated,
DeviceName,
DeviceId,
ExecutingUser = tostring(coalesce(AccountName, InitiatingProcessAccountName)),
UserDomain = tostring(coalesce(AccountDomain, InitiatingProcessAccountDomain)),
CommandLine = ProcessCommandLine,
ParentProcess = strcat(InitiatingProcessParentFileName, " (PID ", tostring(InitiatingProcessParentId), ")"),
SHA256
| order by TimeGenerated desc | pass | 2 | 63.75s | 0.0392 |
| o3-mini-high | netaccounts | DeviceProcessEvents | where InitiatingProcessCommandLine has_cs "net accounts" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, FolderPath | order by TimeGenerated desc | pass | 1 | 75.01s | 0.0109 |
| o3-mini-low | netaccounts | DeviceProcessEvents | where InitiatingProcessFileName =~ "net.exe" | where InitiatingProcessCommandLine has "accounts" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc | pass | 1 | 16.63s | 0.0118 |
| o4-mini-high | net accounts | DeviceProcessEvents | where ProcessCommandLine has "net accounts" | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc | pass | 3 | 86.76s | 0.0299 |
| o4-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0357 |