Query Details

Rule : System Time Manipulation Followed by Git Activity

Defense Evasion Time Change Git

Query

let TimeChange = DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("date ", "time ", "Set-Date");
let GitOps = DeviceProcessEvents
| where ProcessCommandLine has_any ("git commit", "git push", "git add", "git config");
TimeChange
| join kind=innerunique GitOps on DeviceId
| where abs(datetime_diff("minute", Timestamp, Timestamp1)) <= 10
| project TimeChangeTime=Timestamp, GitOpTime=Timestamp1, DeviceName, AccountName,
          TimeChangeCommand=ProcessCommandLine, GitCommand=ProcessCommandLine1,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeChangeTime desc

About this query

Explanation

This query is designed to detect suspicious behavior on developer computers where the system date or time is altered shortly before or after Git operations like commits or pushes. Such actions could indicate attempts to backdate changes in a Git repository, which is considered a potential anti-forensic tactic.

How the Query Works:

  1. Identify Time Changes: It looks for processes that change the system date or time using commands like date, time, or Set-Date executed via cmd.exe or powershell.exe.
  2. Identify Git Operations: It also searches for Git-related commands such as git commit, git push, git add, or git config.
  3. Correlate Events: The query then correlates these two sets of events by matching them on the same device and checks if they occurred within 10 minutes of each other.
  4. Output: It lists the time of the time change, the Git operation, the device and account involved, and the specific commands used.

Exclusions and Focus:

  • The query excludes systems used for legitimate time synchronization testing or approved environments where time manipulation is expected.
  • It focuses on developer workstations and build servers to ensure high accuracy in detecting suspicious activity.

Investigation Steps:

  • Verify if the device is used by a developer or for continuous integration/continuous deployment (CI/CD).
  • Examine the time-change commands to see if they set past dates.
  • Look for any immediate Git actions that might indicate an attempt to alter commit history.
  • Review any changes made to the repository during the session for hidden or suspicious content.
  • Determine if there was a valid reason for changing the system time.

This query is particularly effective when combined with Git commit rewrite activities, providing a strong indication of potential malicious behavior.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsGitDeveloperEndpoint

Operators

letin~has_anyjoin kind=inneruniqueonwhereabsdatetime_diff<=projectorder bydesc

Actions

GitHub