Query Details

Rule : Correlation of Git Abuse with VS Code Task or Workspace Triggering

Correlation Git And VS Code Task Abuse

Query

let GitAbuse = DeviceProcessEvents
| where ProcessCommandLine has_any ("git commit --amend", "--no-verify", "git push -f", "git push --force", "git config --local")
| project DeviceId, GitTime=Timestamp, DeviceName, AccountName, GitCmd=ProcessCommandLine;
let SuspiciousNode = DeviceProcessEvents
| where FileName in~ ("node.exe", "node")
| where ProcessCommandLine has_any (".woff2", ".woff", ".ttf", ".otf", ".eot")
| where InitiatingProcessFileName in~ ("Code.exe", "code", "cmd.exe", "powershell.exe", "bash", "sh", "zsh")
   or InitiatingProcessCommandLine has_any ("Code.exe", "code", ".vscode", "tasks.json", "folderOpen")
| project DeviceId, NodeTime=Timestamp, NodeCmd=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
GitAbuse
| join kind=inner SuspiciousNode on DeviceId
| where NodeTime between (GitTime - 7d .. GitTime + 7d)
| project DeviceName, AccountName, GitTime, GitCmd, NodeTime, NodeCmd, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by NodeTime desc

About this query

Explanation

This query is designed to detect suspicious activities that involve tampering with Git repositories followed by potentially malicious actions executed through Visual Studio Code (VS Code) or similar environments. Here's a simplified breakdown of what the query does:

  1. Objective: The query aims to identify a sequence of events where Git repository manipulation (like amending commits or force-pushing changes) is followed by suspicious execution of code, possibly indicating a security breach in a developer's environment.

  2. Detection Logic:

    • It looks for Git commands that suggest repository tampering, such as git commit --amend or git push --force.
    • It also searches for the execution of Node.js processes that might be running disguised or suspicious content, especially if initiated by VS Code or command-line interfaces like PowerShell or Bash.
  3. Data Sources: The query uses data from the DeviceProcessEvents table, which logs process activities on devices.

  4. Query Steps:

    • Identify Git Abuse: It filters events where Git commands indicate possible abuse and captures details like device ID, timestamp, and command line used.
    • Identify Suspicious Node Execution: It filters for Node.js executions that involve potentially malicious files and checks if they were initiated by VS Code or similar processes.
    • Correlation: It correlates the two sets of events by matching them on the same device and checking if the suspicious Node execution occurred within a week before or after the Git abuse.
  5. Output: The query outputs a list of devices and accounts where both Git abuse and suspicious Node execution were detected, along with relevant timestamps and command details.

  6. False Positive Tuning: To reduce false positives, the query should initially focus on developer machines and exclude known benign activities, especially in environments with external contributors or recent suspicious changes.

  7. Triage Steps: If a potential compromise is detected, steps include verifying the sequence of events, checking for hidden or disguised scripts, analyzing network activity for unusual patterns, and confirming if the repository was recently accessed or modified in the IDE.

  8. Investigation Notes: This query is valuable for identifying potential supply chain compromises in developer environments, where unauthorized changes in code repositories are followed by malicious code execution.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsGitNodeVSCodeShellTaskWorkspaceRepositoryDeveloperEndpointNetworkInfrastructurePayloadIDESupplyChain

Operators

lethas_anyprojectin~orjoin kind=innerbetweenorder by

Actions

GitHub