Question Analysis
You suspect malicious persistence via scheduled tasks on a Windows endpoint. Review the process execution logs to identify the built-in utility used to register tasks at logon or startup. What is the name of this utility?
fec27f65-db86-4c2d-b66c-61945aee87c2
Question ID
14/16
Models Correct
1
Valid Answer
88%
Success Rate
Reference Answer
Human-validated correct answer for this question
schtasks
Model Performance Comparison
See how different AI models performed on this question
| Model | Answer | KQL Query | Status | Attempts | Time | Cost |
|---|---|---|---|---|---|---|
| gemini-2.5-flash-preview-04-17 | schtasks.exe | DeviceProcessEvents | where FileName =~ "schtasks.exe" | distinct FileName | Correct | 1 | 8.14s | 0.0033 |
| gpt-35-turbo | schtasks | DeviceProcessEvents
| where ProcessCommandLine has 'schtasks'
| project ProcessCommandLine, InitiatingProcessCommandLine | Correct | 2 | 4.17s | 0.0056 |
| gpt-4-turbo-2024-04-09 | schtasks | DeviceProcessEvents
| where FileName == 'schtasks.exe' and (ProcessCommandLine contains 'create' or ProcessCommandLine contains '/CREATE' or ProcessCommandLine contains '/create')
| project DeviceName, AccountName, AccountDomain, InitiatingProcessParentFileName, ProcessCommandLine, Timestamp
| distinct DeviceName, AccountName, AccountDomain, InitiatingProcessParentFileName, ProcessCommandLine, Timestamp | Correct | 4 | 35.75s | 0.2089 |
| gpt-4.1 | schtasks.exe | DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| summarize count() by FileName | Correct | 1 | 3.90s | 0.0106 |
| gpt-4.1-finetuned | No answer provided | No query generated | Incorrect | 5 | 0.00s | 0.0328 |
| gpt-4.1-mini | schtasks.exe | DeviceProcessEvents
| where ProcessCommandLine has "schtasks" or FileName =~ "schtasks.exe"
| summarize count() by FileName
| project FileName, Count=count_ | Correct | 1 | 3.30s | 0.0022 |
| gpt-4.1-nano | PowerShell | DeviceProcessEvents
| where FileName in ('schtasks.exe', 'powershell.exe', 'wmic.exe', 'schtasks')
| where ProcessCommandLine contains ('register') and (ProcessCommandLine contains ('logon') or ProcessCommandLine contains ('startup') or ProcessCommandLine contains ('boot'))
| project TimeGenerated, FileName, ProcessCommandLine, InitiatingProcessFileName, DeviceName, ProcessId, InitiatingProcessId
| order by TimeGenerated desc | Incorrect | 1 | 2.61s | 0.0006 |
| gpt-4o | schtasks.exe | DeviceProcessEvents
| where FileName in ('schtasks.exe', 'taskeng.exe')
| where InitiatingProcessCommandLine contains 'create' or InitiatingProcessCommandLine contains 'logon' or InitiatingProcessCommandLine contains 'startup'
| project DeviceName, AccountName, FileName, ProcessCommandLine, ProcessCreationTime | Correct | 1 | 2.77s | 0.0161 |
| grok-3-beta | schtasks.exe | DeviceProcessEvents
| where FileName contains "schtasks.exe"
| where ProcessCommandLine contains "logon" or ProcessCommandLine contains "startup"
| summarize count() by FileName, ProcessCommandLine, DeviceName, AccountName, ProcessCreationTime
| order by ProcessCreationTime desc | Correct | 1 | 18.02s | 0.0217 |
| grok-3-mini-beta | schtasks.exe | DeviceProcessEvents
| where FileName has "schtasks.exe"
| where ProcessCommandLine has_any ("create", "at logon", "at startup")
| summarize count() by FileName, ProcessCommandLine
| project FileName, ProcessCommandLine, count_ | Correct | 1 | 10.30s | 0.0016 |
| o1-high | schtasks.exe | DeviceProcessEvents
| where ActionType =~ "ProcessCreated" or ActionType =~ "CreateProcess"
| where FileName in~ ("schtasks.exe", "at.exe")
| where ProcessCommandLine has_any ("/create", "/Create", "AtLogon", "OnStart")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine | Correct | 1 | 32.71s | 0.2031 |
| o1-low | schtasks.exe | DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName in~ ("schtasks.exe", "at.exe")
| where ProcessCommandLine has_any ("create", "onstart", "onlogon", "onboot")
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessCommandLine
| order by TimeGenerated desc | Correct | 1 | 23.45s | 0.1917 |
| o3-mini-high | schtasks.exe | DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "create"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated desc | Correct | 1 | 9.14s | 0.0077 |
| o3-mini-low | schtasks.exe | DeviceProcessEvents
| where FileName =~ "schtasks.exe"
| summarize EventCount = count() by FileName
| project FileName, EventCount | Correct | 1 | 13.23s | 0.0064 |
| o4-mini-high | schtasks | DeviceProcessEvents
| where TimeGenerated between (startofday(ago(30d)) .. now()) // replace with desired timerange
| where FileName =~ "schtasks.exe"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName
| summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine
| order by count_ desc | Correct | 1 | 28.14s | 0.0084 |
| o4-mini-low | schtasks.exe | DeviceProcessEvents
| where FileName in ("schtasks.exe", "at.exe")
| where ProcessCommandLine has "/create"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| distinct FileName | Correct | 1 | 18.66s | 0.0090 |