// question
Within Windows process event logs, identify instances where the built-in net.exe utility is used to change a user account password. What was the new password argument passed in?
Reference KQL answer and model-by-model comparison.
1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
question id
8/23
models correct
1
valid answer
35%
success rate
// reference answer
Human-validated correct answer for this question.
HuHuHUHoHo283283@dJD
// model comparison
| Model | Answer | KQL query | Status | Tries | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | no answer | no query generated | fail | 5 | 0.00s | 0.0612 |
| gpt-35-turbo | no answer | no query generated | fail | 5 | 0.00s | 0.0113 |
| gpt-4-turbo-2024-04-09 | HuHuHUHoHo283283@dJD | DeviceProcessEvents
| where FileName == 'net.exe'
| where ProcessCommandLine contains 'user'
| extend NewPasswordArgument = extract("(?i)user [^ ]+ ([^ ]+)", 1, ProcessCommandLine)
| project DeviceName, AccountName, ProcessCommandLine, NewPasswordArgument | pass | 2 | 18.65s | 0.0980 |
| gpt-4.1 | no answer | no query generated | fail | 5 | 0.00s | 0.0360 |
| gpt-4.1-finetuned | User2ChangePW! | DeviceProcessEvents | where InitiatingProcessCommandLine != "" and ProcessCommandLine has "net user" and ProcessCommandLine contains "/add" | extend NewPassword = extract(@"net user [^ ]+ ([^ ]+)", 1, ProcessCommandLine) | where isnotnull(NewPassword) | summarize LatestTimeGenerated = arg_max(TimeGenerated, *) by AccountName, AccountDomain, AccountSid, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, NewPassword, FolderPath | project TimeGenerated = LatestTimeGenerated, AccountName, AccountDomain, AccountSid, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, NewPassword, FolderPath | order by TimeGenerated desc | pass | 4 | 33.52s | 0.0402 |
| gpt-4.1-mini | no answer | no query generated | fail | 5 | 0.00s | 0.0085 |
| gpt-4.1-nano | no answer | no query generated | fail | 5 | 0.00s | 0.0013 |
| gpt-4o | no answer | no query generated | fail | 5 | 0.00s | 0.0621 |
| gpt-5-high | no answer | no query generated | fail | 5 | 0.00s | 0.2461 |
| gpt-5-mini-high | no answer | no query generated | fail | 5 | 0.00s | 0.0190 |
| gpt-5-mini-low | no answer | no query generated | fail | 5 | 0.00s | 0.0169 |
| gpt-5-mini-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0122 |
| gpt-5-nano-high | no answer | no query generated | fail | 5 | 0.00s | 0.0119 |
| gpt-5-nano-medium | no answer | no query generated | fail | 5 | 0.00s | 0.0105 |
| grok-3-beta | HuHuHUHoHo283283@dJD | DeviceProcessEvents | where FileName =~ 'net.exe' | where ProcessCommandLine contains 'user' | where ProcessCommandLine matches regex @'user\s+[^\s]+\s+[^\s]+' | project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath | pass | 1 | 9.74s | 0.0224 |
| grok-3-mini-beta | no answer | no query generated | fail | 5 | 0.00s | 0.0074 |
| o1-high | HuHuHUHoHo283283@dJD | DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has " user "
| project TimeGenerated,
DeviceName,
AccountName,
UserAccount = extract(@"(?i)net(?:\.exe)?\\s+user\\s+(\\S+)\\s+(\\S+)", 1, ProcessCommandLine),
NewPassword = extract(@"(?i)net(?:\.exe)?\\s+user\\s+(\\S+)\\s+(\\S+)", 2, ProcessCommandLine),
ProcessCommandLine
| order by TimeGenerated desc | pass | 4 | 106.69s | 0.7014 |
| o1-low | no answer | no query generated | fail | 5 | 0.00s | 0.7136 |
| o3-high | no answer | no query generated | fail | 5 | 0.00s | 0.1002 |
| o3-mini-high | HuHuHUHoHo283283@dJD | DeviceProcessEvents | where tolower(InitiatingProcessFileName) == 'net.exe' | where InitiatingProcessCommandLine has 'user' | extend NewPassword = extract(@"(?i)net\.exe\s+user\s+\S+\s+(\S+)", 1, InitiatingProcessCommandLine) | where isnotempty(NewPassword) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, NewPassword | pass | 1 | 32.49s | 0.0087 |
| o3-mini-low | HuHuHUHoHo283283@dJD | DeviceProcessEvents | where FileName =~ "net.exe" | where InitiatingProcessCommandLine has "user" | extend NewPassword = extract(@"net\.exe\s+user\s+\S+\s+(?<NewPassword>\S+)", 1, InitiatingProcessCommandLine) | where isnotempty(NewPassword) | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, NewPassword | pass | 3 | 28.85s | 0.0290 |
| o4-mini-high | User2ChangePW! | DeviceProcessEvents
// Filter for the built-in net.exe utility
| where tolower(FileName) == "net.exe"
// Look for the "net user <account> <newpassword>" pattern
| where ProcessCommandLine matches regex @"\bnet\s+user\s+\S+\s+\S+"
// Extract the account name and the new password argument
| extend AccountName = extract(@"\bnet\s+user\s+(\S+)\s+\S+", 1, ProcessCommandLine),
NewPassword = extract(@"\bnet\s+user\s+\S+\s+(\S+)", 1, ProcessCommandLine)
// Select relevant columns
| project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountName, NewPassword, ProcessCommandLine | pass | 1 | 25.25s | 0.0099 |
| o4-mini-low | HuHuHUHoHo283283@dJD | DeviceProcessEvents
| where FileName =~ "net.exe"
| where ProcessCommandLine has " user "
| extend TargetUser = extract(@"net\.exe\s+user\s+(\S+)", 1, ProcessCommandLine),
NewPassword = extract(@"net\.exe\s+user\s+\S+\s+(\S+)", 1, ProcessCommandLine)
| where isnotempty(NewPassword) and NewPassword != "*"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, TargetUser, NewPassword, ProcessCommandLine | pass | 1 | 38.06s | 0.0125 |