Git Abuse High Fidelity

# Rule : High-Fidelity Correlation for Git History Manipulation ## Description Correlates the strongest Git abuse indicators on the same device: local Git identity changes, commit amendment, verification bypass, force push, and optional time manipulation. This is intended as a high-confidence analytic for stealth repository tampering. ## Detection Logic This correlation looks for: - local Git identity change - commit amendment - force push - optional time manipulation ## Relevant Tables - `DeviceProcessEvents` ## Search Query ```kql let GitConfig = DeviceProcessEvents | where ProcessCommandLine has "git config --local" | where ProcessCommandLine has_any ("user.name", "user.email") | project DeviceId, DeviceName, AccountName, GitConfigTime=Timestamp, GitConfigCmd=ProcessCommandLine; let GitAmend = DeviceProcessEvents | where ProcessCommandLine has "git commit" | where ProcessCommandLine has "--amend" | project DeviceId, AmendTime=Timestamp, AmendCmd=ProcessCommandLine; let GitPush = DeviceProcessEvents | where ProcessCommandLine has "git push" | where ProcessCommandLine has_any ("-f", "--force", "-uf", "--force-with-lease") | project DeviceId, PushTime=Timestamp, PushCmd=ProcessCommandLine; let TimeChange = DeviceProcessEvents | where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("date ", "time ", "Set-Date") | project DeviceId, TimeChangeTime=Timestamp, TimeChangeCmd=ProcessCommandLine; GitConfig | join kind=inner GitAmend on DeviceId | join kind=inner GitPush on DeviceId | join kind=leftouter TimeChange on DeviceId | where AmendTime between (GitConfigTime .. GitConfigTime + 30m) | where PushTime between (AmendTime .. AmendTime + 30m) | where isempty(TimeChangeTime) or TimeChangeTime between (GitConfigTime - 15m .. PushTime + 15m) | project DeviceName, AccountName, GitConfigTime, GitConfigCmd, AmendTime, AmendCmd, PushTime, PushCmd, TimeChangeTime, TimeChangeCmd | order by PushTime desc ``` ## False Positive Tuning - Exclude tightly controlled migration or repository administration workflows. - Restrict initially to developer endpoints and privileged engineering hosts. - Tune with known sanctioned automation accounts and repository maintenance windows. ## Triage Steps 1. Validate whether the sequence occurred on a managed developer workstation or build host. 2. Identify the repository and branch tied to the activity. 3. Review nearby file and process events for hidden tasks, obfuscated scripts, or non-standard executable assets. 4. Determine whether the same actor performed suspicious network or IDE-triggered execution. 5. Escalate immediately if the sequence involves public repositories, external contractors, or unmanaged devices. ## Investigation Notes - Designed as the highest-value production analytic in this pack.

Explanation

This query is designed to detect potential tampering with Git repositories on a device by looking for specific suspicious activities. Here's a simple breakdown:

Purpose: The query aims to identify high-confidence indicators of Git repository manipulation, which could suggest stealthy tampering.
What it Looks For:
- Changes to the local Git user identity (like altering the user name or email).
- Amendments to Git commits.
- Force pushes to a Git repository.
- Optional changes to the system time, which might be used to cover tracks.
Data Source: The query analyzes data from the DeviceProcessEvents table, which logs processes executed on devices.
How it Works:
- It first identifies when Git configuration commands are used to change user identity.
- It then looks for commit amendments and force pushes.
- Optionally, it checks for any time changes on the device.
- The query correlates these events on the same device within a specific time window to identify suspicious patterns.
Output: The results show devices where these activities occurred, including details like device name, account name, and the specific commands used.
False Positives: The query is tuned to avoid false positives by excluding known legitimate activities, such as controlled migrations or maintenance by authorized personnel.
Triage Steps: If suspicious activity is detected, steps include verifying the device's role, identifying the affected repository, and checking for other suspicious activities. Immediate escalation is advised if the activity involves public repositories or unauthorized devices.
Investigation Notes: This query is considered a high-value tool for detecting potential Git repository tampering in a production environment.

Details

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsGitConfigUserNameUserEmailDeviceIdDeviceNameAccountNameTimestampProcessCommandLineFileNameCmdExePowershellExePowershellIseExeDateTimeSetDate

Operators

lethashas_anyprojectin~joinkind=innerkind=leftouterbetweenisemptyorder by

KQL Search