Rule : Correlation of Git Abuse with VS Code Task or Workspace Triggering
Correlation Git And VS Code Task Abuse
Query
let GitAbuse = DeviceProcessEvents
| where ProcessCommandLine has_any ("git commit --amend", "--no-verify", "git push -f", "git push --force", "git config --local")
| project DeviceId, GitTime=Timestamp, DeviceName, AccountName, GitCmd=ProcessCommandLine;
let SuspiciousNode = DeviceProcessEvents
| where FileName in~ ("node.exe", "node")
| where ProcessCommandLine has_any (".woff2", ".woff", ".ttf", ".otf", ".eot")
| where InitiatingProcessFileName in~ ("Code.exe", "code", "cmd.exe", "powershell.exe", "bash", "sh", "zsh")
or InitiatingProcessCommandLine has_any ("Code.exe", "code", ".vscode", "tasks.json", "folderOpen")
| project DeviceId, NodeTime=Timestamp, NodeCmd=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
GitAbuse
| join kind=inner SuspiciousNode on DeviceId
| where NodeTime between (GitTime - 7d .. GitTime + 7d)
| project DeviceName, AccountName, GitTime, GitCmd, NodeTime, NodeCmd, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by NodeTime descAbout this query
Explanation
This query is designed to detect suspicious activities that involve tampering with Git repositories followed by potentially malicious actions executed through Visual Studio Code (VS Code) or similar environments. Here's a simplified breakdown of what the query does:
-
Objective: The query aims to identify a sequence of events where Git repository manipulation (like amending commits or force-pushing changes) is followed by suspicious execution of code, possibly indicating a security breach in a developer's environment.
-
Detection Logic:
- It looks for Git commands that suggest repository tampering, such as
git commit --amendorgit push --force. - It also searches for the execution of Node.js processes that might be running disguised or suspicious content, especially if initiated by VS Code or command-line interfaces like PowerShell or Bash.
- It looks for Git commands that suggest repository tampering, such as
-
Data Sources: The query uses data from the
DeviceProcessEventstable, which logs process activities on devices. -
Query Steps:
- Identify Git Abuse: It filters events where Git commands indicate possible abuse and captures details like device ID, timestamp, and command line used.
- Identify Suspicious Node Execution: It filters for Node.js executions that involve potentially malicious files and checks if they were initiated by VS Code or similar processes.
- Correlation: It correlates the two sets of events by matching them on the same device and checking if the suspicious Node execution occurred within a week before or after the Git abuse.
-
Output: The query outputs a list of devices and accounts where both Git abuse and suspicious Node execution were detected, along with relevant timestamps and command details.
-
False Positive Tuning: To reduce false positives, the query should initially focus on developer machines and exclude known benign activities, especially in environments with external contributors or recent suspicious changes.
-
Triage Steps: If a potential compromise is detected, steps include verifying the sequence of events, checking for hidden or disguised scripts, analyzing network activity for unusual patterns, and confirming if the repository was recently accessed or modified in the IDE.
-
Investigation Notes: This query is valuable for identifying potential supply chain compromises in developer environments, where unauthorized changes in code repositories are followed by malicious code execution.
Details

Ali Hussein
Released: April 1, 2026
Tables
Keywords
Operators