Rule : Git Author Masquerading via Local User Config Changes
Defense Evasion Git Config Masquerade
Query
DeviceProcessEvents
| where ProcessCommandLine has "git config --local"
| where ProcessCommandLine has_any ("user.name", "user.email")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descAbout this query
Explanation
This query is designed to detect suspicious changes to Git configuration settings on a local machine, specifically focusing on changes to the author's name or email. These changes can be a sign of someone trying to impersonate a trusted contributor by altering their identity settings just before making a commit to a Git repository.
Key Points:
-
Purpose: The query aims to identify potential malicious activity where someone might be trying to masquerade as a trusted developer by changing Git configuration settings locally.
-
Detection Logic:
- It looks for commands that change the Git user name or email locally (
git config --local user.nameandgit config --local user.email). - It captures events where these commands are executed.
- It looks for commands that change the Git user name or email locally (
-
Data Source: The query uses the
DeviceProcessEventstable, which logs process-related activities on devices. -
Query Details:
- Filters for processes where the command line includes
git config --localand eitheruser.nameoruser.email. - Projects relevant details such as timestamp, device name, account name, and command line used.
- Orders the results by the most recent events.
- Filters for processes where the command line includes
-
False Positives:
- The query is tuned to exclude benign scenarios like initial setup scripts or validated administrative templates.
- Focuses on repeated changes or those followed by suspicious Git activities like amend or force-push.
-
Triage Steps:
- Investigate the user's previous and subsequent Git activities.
- Verify if the identity matches known corporate or contractor accounts.
- Look for signs of commit amendments or identity impersonation.
- Check if the repository was altered after the identity change.
-
Use Case: This is particularly useful for detecting impersonation attempts in environments where contractors or third-party developers have access to repositories, ensuring that only authorized identities are making changes.
Details

Ali Hussein
Released: April 1, 2026
Tables
Keywords
Operators