Query Details

Rule : Git Author Masquerading via Local User Config Changes

Defense Evasion Git Config Masquerade

Query

DeviceProcessEvents
| where ProcessCommandLine has "git config --local"
| where ProcessCommandLine has_any ("user.name", "user.email")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

About this query

Explanation

This query is designed to detect suspicious changes to Git configuration settings on a local machine, specifically focusing on changes to the author's name or email. These changes can be a sign of someone trying to impersonate a trusted contributor by altering their identity settings just before making a commit to a Git repository.

Key Points:

  1. Purpose: The query aims to identify potential malicious activity where someone might be trying to masquerade as a trusted developer by changing Git configuration settings locally.

  2. Detection Logic:

    • It looks for commands that change the Git user name or email locally (git config --local user.name and git config --local user.email).
    • It captures events where these commands are executed.
  3. Data Source: The query uses the DeviceProcessEvents table, which logs process-related activities on devices.

  4. Query Details:

    • Filters for processes where the command line includes git config --local and either user.name or user.email.
    • Projects relevant details such as timestamp, device name, account name, and command line used.
    • Orders the results by the most recent events.
  5. False Positives:

    • The query is tuned to exclude benign scenarios like initial setup scripts or validated administrative templates.
    • Focuses on repeated changes or those followed by suspicious Git activities like amend or force-push.
  6. Triage Steps:

    • Investigate the user's previous and subsequent Git activities.
    • Verify if the identity matches known corporate or contractor accounts.
    • Look for signs of commit amendments or identity impersonation.
    • Check if the repository was altered after the identity change.
  7. Use Case: This is particularly useful for detecting impersonation attempts in environments where contractors or third-party developers have access to repositories, ensuring that only authorized identities are making changes.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampNameAccountFileCommandLineFolderPathSHA1Initiating

Operators

wherehashas_anyprojectorder by

Actions

GitHub