// question

Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts.

Reference KQL answer and model-by-model comparison.

4588d243-f24e-4549-b2e3-e627acc089f6
question id
19/23
models correct
1
valid answer
83%
success rate
// reference answer

Human-validated correct answer for this question.

net accounts
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
net accounts
DeviceProcessEvents
| where FileName == "net.exe"
| where ProcessCommandLine has "accounts"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, AccountName, AccountDomain
pass29.89s0.0033
gpt-35-turbo
net accounts
DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project DeviceName, ProcessId, ProcessCommandLine, ProcessCreationTime
pass12.83s0.0023
gpt-4-turbo-2024-04-09
net accounts
DeviceProcessEvents
| where ProcessCommandLine has 'net accounts' or ProcessCommandLine has 'net user'
| project DeviceName, DeviceId, ProcessCommandLine, TimeGenerated
pass19.88s0.0543
gpt-4.1
net accounts
DeviceProcessEvents
| where (FileName =~ "net.exe" and ProcessCommandLine has "accounts") or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine
pass15.29s0.0117
gpt-4.1-finetuned
no answer
no query generatedfail50.00s0.0473
gpt-4.1-mini
net accounts
DeviceProcessEvents
| where ProcessCommandLine has_any ("net accounts", "secpol.msc", "net user", "gpresult", "net user /domain")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by TimeGenerated desc
pass124.48s0.0023
gpt-4.1-nano
net accounts
DeviceProcessEvents | where ProcessCommandLine contains 'net accounts' | project TimeGenerated, DeviceName, ProcessCommandLine
pass11.44s0.0005
gpt-4o
net accounts
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("net accounts", "secedit")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountUpn
pass14.22s0.0147
gpt-5-high
net
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| extend FileLower = tolower(FileName), CmdLower = tolower(ProcessCommandLine)
| where (FileLower in ("net.exe", "net1.exe") and CmdLower matches regex @"\bnet(1|\.exe)?\s+accounts(\s|$)")
   or (FileLower == "secedit.exe" and CmdLower has_any (" /export", " -export"))
| extend PolicyScope = iif(CmdLower has "/domain", "Domain", "Local")
| extend Method = case(
    FileLower in ("net.exe", "net1.exe"), "Listed password policy via 'net accounts'",
    FileLower == "secedit.exe", "Exported local security policy via 'secedit /export'",
    "Other")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine, PolicyScope, Method,
          InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName
| order by TimeGenerated desc
fail194.58s0.0473
gpt-5-mini-high
net accounts
(DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| where ProcessCommandLine has_cs "net accounts" or ProcessCommandLine has_cs "secedit" or ProcessCommandLine has_cs "net user" or ProcessCommandLine has_cs "gpresult" or ProcessCommandLine has_cs "Get-LocalUser" or ProcessCommandLine has_cs "Get-LocalGroup" or ProcessCommandLine has_cs "net accounts /domain" or ProcessCommandLine has_cs "net accounts /minpwlen"
| extend CommandLine = ProcessCommandLine, Source = "DeviceProcessEvents" )
| union (
    DeviceEvents
    | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine)
    | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine), Source = "DeviceEvents"
    | where CommandLine has_cs "net accounts" or CommandLine has_cs "secedit" or CommandLine has_cs "net user" or CommandLine has_cs "gpresult" or CommandLine has_cs "Get-LocalUser" or CommandLine has_cs "Get-LocalGroup" or CommandLine has_cs "net accounts /domain" or CommandLine has_cs "net accounts /minpwlen"
)
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceId, DeviceName, AccountName = coalesce(InitiatingProcessAccountName, AccountName, "-"), CommandLine, Source
| order by LastSeen desc
| project LastSeen, FirstSeen, Count, DeviceName, DeviceId, AccountName, CommandLine, Source
pass117.10s0.0052
gpt-5-mini-low
net accounts
// Search for commands that list local or domain password policy settings
let keywords = dynamic(["net accounts","secedit /export","secedit /configure","secedit /export /cfg","gpresult /r","gpresult /h","auditpol /get","net user","get-localuser","get-localgroup","get-addefaultdomainpasswordpolicy","net accounts /domain"]);

// Process events with explicit ProcessCommandLine
let procEvents = DeviceProcessEvents
| where isnotempty(ProcessCommandLine)
| extend cmd = tolower(ProcessCommandLine)
| where cmd contains "net accounts"
    or cmd contains "secedit /export"
    or cmd contains "secedit /configure"
    or cmd contains "secedit /export /cfg"
    or cmd contains "gpresult /r"
    or cmd contains "gpresult /h"
    or cmd contains "auditpol /get"
    or cmd contains "net user"
    or cmd contains "get-localuser"
    or cmd contains "get-localgroup"
    or cmd contains "get-addefaultdomainpasswordpolicy"
    or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = ProcessCommandLine, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;

// Generic DeviceEvents which may store commandline in different fields
let devEvents = DeviceEvents
| extend cmd = coalesce(tolower(InitiatingProcessCommandLine), tolower(ProcessCommandLine), tolower(tostring(AdditionalFields.CommandLine)))
| where isnotempty(cmd)
| where cmd contains "net accounts"
    or cmd contains "secedit /export"
    or cmd contains "secedit /configure"
    or cmd contains "secedit /export /cfg"
    or cmd contains "gpresult /r"
    or cmd contains "gpresult /h"
    or cmd contains "auditpol /get"
    or cmd contains "net user"
    or cmd contains "get-localuser"
    or cmd contains "get-localgroup"
    or cmd contains "get-addefaultdomainpasswordpolicy"
    or cmd contains "net accounts /domain"
| project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain, InitiatingProcessAccountName, InitiatingProcessAccountDomain, FileName, ProcessId, InitiatingProcessId, ProcessCommandLine = cmd, InitiatingProcessCommandLine, ProcessCreationTime, InitiatingProcessCreationTime, ReportId;

// Combine and summarize
procEvents
| union devEvents
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, DeviceId, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by LastSeen desc
| limit 100
pass246.44s0.0113
gpt-5-mini-medium
net accounts
let pattern = @"(?i)\b(net accounts|net\s+user\b|secedit\s*/?(?:export|configure)|gpresult\b|get-localuser\b|get-localgroup\b)\b";

union isfuzzy=true
(
    DeviceProcessEvents
    | extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
    | where isnotempty(Cmd) and Cmd matches regex pattern
    | extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
    | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId, InitiatingProcessId, ReportId, FileName
),
(
    DeviceEvents
    | extend Cmd = tostring(coalesce(ProcessCommandLine, InitiatingProcessCommandLine, FileName))
    | where isnotempty(Cmd) and Cmd matches regex pattern
    | extend MatchedCommand = extract(@"(?i)\b(net accounts|net\s+user|secedit\s*/?(?:export|configure)|gpresult|get-localuser|get-localgroup)\b", 1, Cmd)
    | project TimeGenerated, DeviceName, DeviceId, AccountName, AccountDomain = InitiatingProcessAccountDomain, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine, MatchedCommand, ProcessId = InitiatingProcessId, InitiatingProcessId = InitiatingProcessParentId, ReportId, FileName
)
| sort by TimeGenerated desc
| take 500
pass244.97s0.0114
gpt-5-nano-high
netaccounts
DeviceProcessEvents
| where tolower(InitiatingProcessCommandLine) contains "net accounts" 
   or tolower(ProcessCommandLine) contains "net accounts"
   or (tolower(InitiatingProcessFileName) == "net.exe" and tolower(InitiatingProcessCommandLine) contains "accounts")
| project TimeGenerated, DeviceName, DeviceId, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName
| sort by TimeGenerated desc
fail131.58s0.0024
gpt-5-nano-medium
cmd.exe /c net accounts
DeviceProcessEvents
| where InitiatingProcessFileName endswith 'net.exe' or InitiatingProcessCommandLine contains 'net accounts' or ProcessCommandLine contains 'net accounts'
| extend CommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCreationTime, CommandLine
| order by TimeGenerated desc
pass137.65s0.0024
grok-3-beta
net accounts
DeviceProcessEvents
| where ProcessCommandLine contains 'net accounts'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
pass18.69s0.0196
grok-3-mini-beta
net accounts
DeviceProcessEvents
| where ActionType == 'ProcessCreated' and (ProcessCommandLine contains 'net accounts')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| summarize arg_max(TimeGenerated, *) by DeviceName, ProcessCommandLine
| order by TimeGenerated desc
| limit 100
pass112.15s0.0016
o1-high
net accounts
DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has "accounts"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated desc
pass136.33s0.2712
o1-low
net
DeviceProcessEvents
| where ProcessCommandLine has '\net accounts' or (FileName =~ 'net.exe' and ProcessCommandLine has 'accounts')
| project TimeGenerated, DeviceName, AccountDomain, AccountName, ProcessCommandLine, FolderPath, FileName
| order by TimeGenerated desc
pass133.33s0.1685
o3-high
net accounts
// Password-policy enumeration using native Windows commands
DeviceProcessEvents
| where ActionType == "ProcessCreated"  // only new processes
// Look for commands that dump local password policy (case-insensitive)
| where (FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has_cs "accounts")
    or (FileName =~ "secedit.exe" and ProcessCommandLine has "/export" and ProcessCommandLine has "/cfg")
// Surface the most relevant context
| project TimeGenerated,
          DeviceName,
          DeviceId,
          ExecutingUser = tostring(coalesce(AccountName, InitiatingProcessAccountName)),
          UserDomain    = tostring(coalesce(AccountDomain, InitiatingProcessAccountDomain)),
          CommandLine   = ProcessCommandLine,
          ParentProcess = strcat(InitiatingProcessParentFileName, " (PID ", tostring(InitiatingProcessParentId), ")"),
          SHA256
| order by TimeGenerated desc
pass263.75s0.0392
o3-mini-high
netaccounts
DeviceProcessEvents
| where InitiatingProcessCommandLine has_cs "net accounts"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName, FolderPath
| order by TimeGenerated desc
pass175.01s0.0109
o3-mini-low
netaccounts
DeviceProcessEvents
| where InitiatingProcessFileName =~ "net.exe"
| where InitiatingProcessCommandLine has "accounts"
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine
| order by TimeGenerated desc
pass116.63s0.0118
o4-mini-high
net accounts
DeviceProcessEvents
| where ProcessCommandLine has "net accounts"
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine
| sort by TimeGenerated desc
pass386.76s0.0299
o4-mini-low
no answer
no query generatedfail50.00s0.0357