KQL Search

Query Details

HomeAI ToolsDevice Query

Correlation Git And VS Code Task Abuse

Query

# Rule : Correlation of Git Abuse with VS Code Task or Workspace Triggering

## Description
Correlates Git abuse activity with suspicious VS Code or workspace-triggered execution. This analytic is useful for detecting the full chain where repository tampering is followed by malicious execution through IDE tasking.

## Detection Logic
This correlation looks for:
- Git amend or force push behavior
- Node execution of masqueraded content
- VS Code or shell-related initiating process context

## Relevant Tables
- `DeviceProcessEvents`

## Search Query
```kql
let GitAbuse = DeviceProcessEvents
| where ProcessCommandLine has_any ("git commit --amend", "--no-verify", "git push -f", "git push --force", "git config --local")
| project DeviceId, GitTime=Timestamp, DeviceName, AccountName, GitCmd=ProcessCommandLine;
let SuspiciousNode = DeviceProcessEvents
| where FileName in~ ("node.exe", "node")
| where ProcessCommandLine has_any (".woff2", ".woff", ".ttf", ".otf", ".eot")
| where InitiatingProcessFileName in~ ("Code.exe", "code", "cmd.exe", "powershell.exe", "bash", "sh", "zsh")
   or InitiatingProcessCommandLine has_any ("Code.exe", "code", ".vscode", "tasks.json", "folderOpen")
| project DeviceId, NodeTime=Timestamp, NodeCmd=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
GitAbuse
| join kind=inner SuspiciousNode on DeviceId
| where NodeTime between (GitTime - 7d .. GitTime + 7d)
| project DeviceName, AccountName, GitTime, GitCmd, NodeTime, NodeCmd, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by NodeTime desc
```

## False Positive Tuning
- Scope initially to developer endpoints.
- Exclude known benign static analysis or packaging workflows if any exist.
- Prioritize repositories with external contributors or recent suspicious history rewrites.

## Triage Steps
1. Determine whether Git abuse preceded malicious execution on the same endpoint.
2. Review the repository for `.vscode/tasks.json`, hidden scripts, and disguised payloads.
3. Check network activity from Node for unusual infrastructure or payload retrieval.
4. Validate whether the repository was recently cloned, modified, or opened in the IDE.
5. Escalate as a likely supply chain compromise if both sides of the correlation are present.

## Investigation Notes
- High value for detecting end-to-end developer compromise.

Explanation

This query is designed to detect suspicious activities that involve tampering with Git repositories followed by potentially malicious actions executed through Visual Studio Code (VS Code) or similar environments. Here's a simplified breakdown of what the query does:

  1. Objective: The query aims to identify a sequence of events where Git repository manipulation (like amending commits or force-pushing changes) is followed by suspicious execution of code, possibly indicating a security breach in a developer's environment.

  2. Detection Logic:

    • It looks for Git commands that suggest repository tampering, such as git commit --amend or git push --force.
    • It also searches for the execution of Node.js processes that might be running disguised or suspicious content, especially if initiated by VS Code or command-line interfaces like PowerShell or Bash.

  3. Data Sources: The query uses data from the DeviceProcessEvents table, which logs process activities on devices.

  4. Query Steps:

    • Identify Git Abuse: It filters events where Git commands indicate possible abuse and captures details like device ID, timestamp, and command line used.
    • Identify Suspicious Node Execution: It filters for Node.js executions that involve potentially malicious files and checks if they were initiated by VS Code or similar processes.
    • Correlation: It correlates the two sets of events by matching them on the same device and checking if the suspicious Node execution occurred within a week before or after the Git abuse.

  5. Output: The query outputs a list of devices and accounts where both Git abuse and suspicious Node execution were detected, along with relevant timestamps and command details.

  6. False Positive Tuning: To reduce false positives, the query should initially focus on developer machines and exclude known benign activities, especially in environments with external contributors or recent suspicious changes.

  7. Triage Steps: If a potential compromise is detected, steps include verifying the sequence of events, checking for hidden or disguised scripts, analyzing network activity for unusual patterns, and confirming if the repository was recently accessed or modified in the IDE.

  8. Investigation Notes: This query is valuable for identifying potential supply chain compromises in developer environments, where unauthorized changes in code repositories are followed by malicious code execution.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsGitNodeVSCodeShellTaskWorkspaceRepositoryDeveloperEndpointNetworkInfrastructurePayloadIDESupplyChain

Operators

lethas_anyprojectin~orjoin kind=innerbetweenorder by

Actions