Question Analysis
Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts.
4588d243-f24e-4549-b2e3-e627acc089f6
Question ID
19/23
Models Correct
1
Valid Answer
83%
Success Rate
Reference Answer
Human-validated correct answer for this question
net accounts
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | net accounts | DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine has "accounts"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, AccountDomain | Correct | 2 | 9.89s | 0.0033 |
| gpt-35-turbo | net accounts | DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project DeviceName, ProcessId, ProcessCommandLine, ProcessCreationTime | Correct | 1 | 2.83s | 0.0023 |
| gpt-4-turbo-2024-04-09 | net accounts | DeviceProcessEvents
| where ProcessCommandLine has 'net accounts' or ProcessCommandLine has 'net user'
| project DeviceName, DeviceId, ProcessCommandLine, TimeGenerated | Correct | 1 | 9.88s | 0.0543 |
| gpt-4.1 | net accounts | DeviceProcessEvents
| where (FileName =~ "net.exe" and ProcessCommandLine has "accounts") or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | Correct | 1 | 5.29s | 0.0117 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0473 |
| gpt-4.1-mini | net accounts | DeviceProcessEvents
| where ProcessCommandLine has_any ("net accounts", "secpol.msc", "net user", "gpresult", "net user /domain")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 24.48s | 0.0023 |
| gpt-4.1-nano | net accounts | DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project TimeGenerated, DeviceName, ProcessCommandLine | Correct | 1 | 1.44s | 0.0005 |
| gpt-4o | net accounts | DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("net accounts", "secedit")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountUpn | Correct | 1 | 4.22s | 0.0147 |
| gpt-5-high | net | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| extend FileLower = tolower(FileName), CmdLower = tolower(ProcessCommandLine)
| where (FileLower in ("net.exe", "net1.exe") and CmdLower matches regex @"\bnet(1|\.exe)?\s+accounts(\s|$)")
or (FileLower == "secedit.exe" and CmdLower has_any (" /export", " -export"))
| extend PolicyScope = iif(CmdLower has "/domain", "Domain", "Local")
| extend Method = case(
FileLower in ("net.exe", "net1.exe"), "Listed password policy via 'net accounts'",
FileLower == "secedit.exe", "Exported local security policy via 'secedit /export'",
"Other")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, PolicyScope, Method,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc | Incorrect | 1 | 94.58s | 0.0473 |
| gpt-5-mini-high | net accounts | (DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "net accounts" or ProcessCommandLine has_cs "secedit" or ProcessCommandLine has_cs "net user" or ProcessCommandLine has_cs "gpresult" or ProcessCommandLine has_cs "Get-LocalUser" or ProcessCommandLine has_cs "Get-LocalGroup" or ProcessCommandLine has_cs "net accounts /domain" or ProcessCommandLine has_cs "net accounts /minpwlen"
| extend CommandLine = ProcessCommandLine, Source = "DeviceProcessEvents" )
| union (
DeviceEvents
| where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)
| extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), Source = "DeviceEvents"
| where CommandLine has_cs "net accounts" or CommandLine has_cs "secedit" or CommandLine has_cs "net user" or CommandLine has_cs "gpresult" or CommandLine has_cs "Get-LocalUser" or CommandLine has_cs "Get-LocalGroup" or CommandLine has_cs "net accounts /domain" or CommandLine has_cs "net accounts /minpwlen"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceId, DeviceName, AccountName = coalesce(InitiatingProcessAccountName, AccountName, "-"), CommandLine, Source
| order by LastSeen desc
| project LastSeen, FirstSeen, Count, DeviceName, DeviceId, AccountName, CommandLine, Source
| Correct | 1 | 17.10s | 0.0052 |
| gpt-5-mini-low | net accounts | // Search for commands that list local or domain password policy settings
let keywords = dynamic(["net accounts","secedit /export","secedit /configure","secedit /export /cfg","gpresult /r","gpresult /h","auditpol /get","net user","get-localuser","get-localgroup","get-addefaultdomainpasswordpolicy","net accounts /domain"]);
// Process events with explicit ProcessCommandLine
let procEvents = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| extend cmd = tolower(ProcessCommandLine)
| where cmd contains "net accounts"
or cmd contains "secedit /export"
or cmd contains "secedit /configure"
or cmd contains "secedit /export /cfg"
or cmd contains "gpresult /r"
or cmd contains "gpresult /h"
or cmd contains "auditpol /get"
or cmd contains "net user"
or cmd contains "get-localuser"
or cmd contains "get-localgroup"
or cmd contains "get-addefaultdomainpasswordpolicy"
or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;
// Generic DeviceEvents which may store commandline in different fields
let devEvents = DeviceEvents
| extend cmd = coalesce(tolower(InitiatingProcessCommandLine), tolower(ProcessCommandLine), tolower(tostring(AdditionalFields.CommandLine)))
| where isnotempty(cmd)
| where cmd contains "net accounts"
or cmd contains "secedit /export"
or cmd contains "secedit /configure"
or cmd contains "secedit /export /cfg"
or cmd contains "gpresult /r"
or cmd contains "gpresult /h"
or cmd contains "auditpol /get"
or cmd contains "net user"
or cmd contains "get-localuser"
or cmd contains "get-localgroup"
or cmd contains "get-addefaultdomainpasswordpolicy"
or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = cmd, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;
// Combine and summarize
procEvents
| union devEvents
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, DeviceId, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by LastSeen desc
| limit 100
| Correct | 2 | 46.44s | 0.0113 |
| gpt-5-mini-medium | net accounts | let pattern = @"(?i)\b(net accounts|net\s+user\b|secedit\s*/?(?:export|configure)|gpresult\b|get-localuser\b|get-localgroup\b)\b";
union isfuzzy=true
(
DeviceProcessEvents
| extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
| where isnotempty(Cmd) and Cmd matches regex pattern
| extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId, InitiatingProcessId, ReportId, FileName
),
(
DeviceEvents
| extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
| where isnotempty(Cmd) and Cmd matches regex pattern
| extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId = InitiatingProcessId, InitiatingProcessId = InitiatingProcessParentId, ReportId, FileName
)
| sort by TimeGenerated desc
| take 500
| Correct | 2 | 44.97s | 0.0114 |
| gpt-5-nano-high | netaccounts | DeviceProcessEvents
| where tolower(InitiatingProcessCommandLine) contains "net accounts"
or tolower(ProcessCommandLine) contains "net accounts"
or (tolower(InitiatingProcessFileName) == "net.exe" and tolower(InitiatingProcessCommandLine) contains "accounts")
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName
| sort by TimeGenerated desc | Incorrect | 1 | 31.58s | 0.0024 |
| gpt-5-nano-medium | cmd.exe /c net accounts | DeviceProcessEvents
| where InitiatingProcessFileName endswith 'net.exe' or InitiatingProcessCommandLine contains 'net accounts' or ProcessCommandLine contains 'net accounts'
| extend CommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCreationTime, CommandLine
| order by TimeGenerated desc | Correct | 1 | 37.65s | 0.0024 |
| grok-3-beta | net accounts | DeviceProcessEvents
| where ProcessCommandLine contains 'net accounts'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc | Correct | 1 | 8.69s | 0.0196 |
| grok-3-mini-beta | net accounts | DeviceProcessEvents
| where ActionType == 'ProcessCreated' and (ProcessCommandLine contains 'net accounts')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| summarize arg_max(TimeGenerated, *) by DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100 | Correct | 1 | 12.15s | 0.0016 |
| o1-high | net accounts | DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has "accounts"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 36.33s | 0.2712 |
| o1-low | net | DeviceProcessEvents
| where ProcessCommandLine has '\net accounts' or (FileName =~ 'net.exe' and ProcessCommandLine has 'accounts')
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, FolderPath, FileName
| order by TimeGenerated desc | Correct | 1 | 33.33s | 0.1685 |
| o3-high | net accounts | // Password-policy enumeration using native Windows commands
DeviceProcessEvents
| where ActionType == "ProcessCreated" // only new processes
// Look for commands that dump local password policy (case-insensitive)
| where (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has_cs "accounts")
or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export" and ProcessCommandLine has "/cfg")
// Surface the most relevant context
| project TimeGenerated,
DeviceName,
DeviceId,
ExecutingUser = tostring(coalesce(AccountName, InitiatingProcessAccountName)),
UserDomain = tostring(coalesce(AccountDomain, InitiatingProcessAccountDomain)),
CommandLine = ProcessCommandLine,
ParentProcess = strcat(InitiatingProcessParentFileName, " (PID ", tostring(InitiatingProcessParentId), ")"),
SHA256
| order by TimeGenerated desc | Correct | 2 | 63.75s | 0.0392 |
| o3-mini-high | netaccounts | DeviceProcessEvents
| where InitiatingProcessCommandLine has_cs "net accounts"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, FolderPath
| order by TimeGenerated desc | Correct | 1 | 75.01s | 0.0109 |
| o3-mini-low | netaccounts | DeviceProcessEvents
| where InitiatingProcessFileName =~ "net.exe"
| where InitiatingProcessCommandLine has "accounts"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 16.63s | 0.0118 |
| o4-mini-high | net accounts | DeviceProcessEvents
| where ProcessCommandLine has "net accounts"
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc | Correct | 3 | 86.76s | 0.0299 |
| o4-mini-low | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0357 |