// question

Within Windows process event logs, identify instances where the built-in net.exe utility is used to change a user account password. What was the new password argument passed in?

Reference KQL answer and model-by-model comparison.

1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
question id
8/23
models correct
1
valid answer
35%
success rate
// reference answer

Human-validated correct answer for this question.

HuHuHUHoHo283283@dJD
// model comparison
ModelAnswerKQL queryStatusTriesTimeCost
gemini-2.5-flash-preview-04-17
no answer
no query generatedfail50.00s0.0612
gpt-35-turbo
no answer
no query generatedfail50.00s0.0113
gpt-4-turbo-2024-04-09
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where FileName == 'net.exe'
| where ProcessCommandLine contains 'user'
| extend NewPasswordArgument = extract("(?i)user [^ ]+ ([^ ]+)", 1, ProcessCommandLine)
| project DeviceName, AccountName, ProcessCommandLine, NewPasswordArgument
pass218.65s0.0980
gpt-4.1
no answer
no query generatedfail50.00s0.0360
gpt-4.1-finetuned
User2ChangePW!
DeviceProcessEvents
| where InitiatingProcessCommandLine != "" and ProcessCommandLine has "net user" and ProcessCommandLine contains "/add"
| extend NewPassword = extract(@"net user [^ ]+ ([^ ]+)", 1, ProcessCommandLine)
| where isnotnull(NewPassword)
| summarize LatestTimeGenerated = arg_max(TimeGenerated, *) by AccountName, AccountDomain, AccountSid, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, NewPassword, FolderPath
| project TimeGenerated = LatestTimeGenerated, AccountName, AccountDomain, AccountSid, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, NewPassword, FolderPath
| order by TimeGenerated desc
pass433.52s0.0402
gpt-4.1-mini
no answer
no query generatedfail50.00s0.0085
gpt-4.1-nano
no answer
no query generatedfail50.00s0.0013
gpt-4o
no answer
no query generatedfail50.00s0.0621
gpt-5-high
no answer
no query generatedfail50.00s0.2461
gpt-5-mini-high
no answer
no query generatedfail50.00s0.0190
gpt-5-mini-low
no answer
no query generatedfail50.00s0.0169
gpt-5-mini-medium
no answer
no query generatedfail50.00s0.0122
gpt-5-nano-high
no answer
no query generatedfail50.00s0.0119
gpt-5-nano-medium
no answer
no query generatedfail50.00s0.0105
grok-3-beta
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where FileName =~ 'net.exe'
| where ProcessCommandLine contains 'user'
| where ProcessCommandLine matches regex @'user\s+[^\s]+\s+[^\s]+'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath
pass19.74s0.0224
grok-3-mini-beta
no answer
no query generatedfail50.00s0.0074
o1-high
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has " user "
| project TimeGenerated,
          DeviceName,
          AccountName,
          UserAccount = extract(@"(?i)net(?:\.exe)?\\s+user\\s+(\\S+)\\s+(\\S+)", 1, ProcessCommandLine),
          NewPassword = extract(@"(?i)net(?:\.exe)?\\s+user\\s+(\\S+)\\s+(\\S+)", 2, ProcessCommandLine),
          ProcessCommandLine
| order by TimeGenerated desc
pass4106.69s0.7014
o1-low
no answer
no query generatedfail50.00s0.7136
o3-high
no answer
no query generatedfail50.00s0.1002
o3-mini-high
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where tolower(InitiatingProcessFileName) == 'net.exe'
| where InitiatingProcessCommandLine has 'user'
| extend NewPassword = extract(@"(?i)net\.exe\s+user\s+\S+\s+(\S+)", 1, InitiatingProcessCommandLine)
| where isnotempty(NewPassword)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, NewPassword
pass132.49s0.0087
o3-mini-low
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where FileName =~ "net.exe"
| where InitiatingProcessCommandLine has "user"
| extend NewPassword = extract(@"net\.exe\s+user\s+\S+\s+(?<NewPassword>\S+)", 1, InitiatingProcessCommandLine)
| where isnotempty(NewPassword)
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, NewPassword
pass328.85s0.0290
o4-mini-high
User2ChangePW!
DeviceProcessEvents
// Filter for the built-in net.exe utility
| where tolower(FileName) == "net.exe"
// Look for the "net user <account> <newpassword>" pattern
| where ProcessCommandLine matches regex @"\bnet\s+user\s+\S+\s+\S+"
// Extract the account name and the new password argument
| extend AccountName = extract(@"\bnet\s+user\s+(\S+)\s+\S+", 1, ProcessCommandLine),
         NewPassword = extract(@"\bnet\s+user\s+\S+\s+(\S+)", 1, ProcessCommandLine)
// Select relevant columns
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountName, NewPassword, ProcessCommandLine
pass125.25s0.0099
o4-mini-low
HuHuHUHoHo283283@dJD
DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has " user "
| extend TargetUser = extract(@"net\.exe\s+user\s+(\S+)", 1, ProcessCommandLine),
         NewPassword = extract(@"net\.exe\s+user\s+\S+\s+(\S+)", 1, ProcessCommandLine)
| where isnotempty(NewPassword) and NewPassword != "*"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, TargetUser, NewPassword, ProcessCommandLine
pass138.06s0.0125