Execution Git Commit Amend No Verify

# Rule : Suspicious Git Commit Rewrite with Verification Bypass ## Description Detects Git history rewrite activity where a user amends the latest commit while bypassing local verification hooks. This behavior can be used to preserve the appearance of legitimate development activity while modifying repository contents. ## Detection Logic This detection looks for: - `git commit --amend` - `--no-verify` - Shell or batch execution around Git operations ## Relevant Tables - `DeviceProcessEvents` ## Search Query ```kql DeviceProcessEvents | where ProcessCommandLine has "git commit --amend" or (ProcessCommandLine has "git commit" and ProcessCommandLine has "--amend") | extend HasNoVerify = iff(ProcessCommandLine has "--no-verify", "Yes", "No") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA1, HasNoVerify, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ## False Positive Tuning - Exclude approved release engineering or repository maintenance hosts. - Exclude sanctioned administrator accounts that regularly perform controlled history rewrites. - Add allowlists for internal automation that legitimately amends commits in ephemeral test repositories. ## Triage Steps 1. Review the full command line for `--no-verify`, `--amend`, and unusual working directories. 2. Check whether the same user also performed `git push -f` or changed local Git identity settings. 3. Review nearby file modifications for `.vscode/tasks.json`, hidden scripts, or non-standard executable content. 4. Validate whether the repository and branch are business-critical or public-facing. 5. Confirm whether the activity originated from a developer workstation, build host, or administrative automation node. ## Investigation Notes - High concern when followed by force-push activity. - High concern when paired with system time changes or local Git user identity changes.

Explanation

This query is designed to detect potentially suspicious activity in Git repositories. Specifically, it looks for instances where a user modifies the most recent commit using the git commit --amend command while bypassing verification checks with the --no-verify option. This behavior might be used to alter repository contents while maintaining the appearance of legitimate development activity.

Key Points:

Detection Criteria: The query identifies Git commands that include git commit --amend and checks if they also use the --no-verify option.
Data Source: It uses the DeviceProcessEvents table to find relevant process events.
Output: The query outputs details such as the timestamp, device name, account name, file name, command line used, and whether the --no-verify option was present.
Ordering: Results are sorted by the timestamp in descending order, showing the most recent events first.

Handling False Positives:

Exclude known and approved systems or accounts that regularly perform such operations for legitimate reasons.
Allowlist internal automation processes that amend commits in test environments.

Investigation Steps:

Examine the full command line for the presence of --no-verify and --amend.
Check if the user also executed git push -f or altered Git identity settings.
Look for nearby file changes, especially in configuration files or hidden scripts.
Determine the importance of the affected repository and branch.
Identify if the activity came from a developer's machine, a build server, or an administrative system.

Additional Notes:

Activities followed by force-pushes or changes in system time or Git user identity are particularly concerning and warrant further investigation.

KQL Search