KQL Search

Query Details

HomeAI ToolsDevice Query

Defense Evasion Git Config Masquerade

Query

# Rule : Git Author Masquerading via Local User Config Changes

## Description
Detects local Git configuration changes that set author name or email immediately before commit operations. In malicious scenarios, this can be used to preserve the appearance of trusted contributor identity.

## Detection Logic
This detection looks for:
- `git config --local user.name`
- `git config --local user.email`

## Relevant Tables
- `DeviceProcessEvents`

## Search Query
```kql
DeviceProcessEvents
| where ProcessCommandLine has "git config --local"
| where ProcessCommandLine has_any ("user.name", "user.email")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          FolderPath, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
```

## False Positive Tuning
- Exclude developer onboarding scripts that set identity once during initial environment setup.
- Exclude golden images or administrative build templates after validation.
- Prioritize repeated changes or changes immediately preceding amend/force-push activity.

## Triage Steps
1. Review prior and subsequent Git activity by the same user on the same device.
2. Determine whether the local identity matches an expected corporate or contractor account.
3. Check for commit amendment, force push, or verification bypass in the same session.
4. Review whether the actor attempted to match the identity of another trusted developer.
5. Validate whether the repository was changed after the local identity update.

## Investigation Notes
- Particularly useful for identifying impersonation in contractor or third-party development scenarios.

Explanation

This query is designed to detect suspicious changes to Git configuration settings on a local machine, specifically focusing on changes to the author's name or email. These changes can be a sign of someone trying to impersonate a trusted contributor by altering their identity settings just before making a commit to a Git repository.

Key Points:

  1. Purpose: The query aims to identify potential malicious activity where someone might be trying to masquerade as a trusted developer by changing Git configuration settings locally.

  2. Detection Logic:

    • It looks for commands that change the Git user name or email locally (git config --local user.name and git config --local user.email).
    • It captures events where these commands are executed.

  3. Data Source: The query uses the DeviceProcessEvents table, which logs process-related activities on devices.

  4. Query Details:

    • Filters for processes where the command line includes git config --local and either user.name or user.email.
    • Projects relevant details such as timestamp, device name, account name, and command line used.
    • Orders the results by the most recent events.

  5. False Positives:

    • The query is tuned to exclude benign scenarios like initial setup scripts or validated administrative templates.
    • Focuses on repeated changes or those followed by suspicious Git activities like amend or force-push.

  6. Triage Steps:

    • Investigate the user's previous and subsequent Git activities.
    • Verify if the identity matches known corporate or contractor accounts.
    • Look for signs of commit amendments or identity impersonation.
    • Check if the repository was altered after the identity change.

  7. Use Case: This is particularly useful for detecting impersonation attempts in environments where contractors or third-party developers have access to repositories, ensuring that only authorized identities are making changes.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampDeviceNameAccountNameFileNameProcessCommandLineFolderPathSHA1InitiatingProcessFileNameInitiatingProcessCommandLine

Operators

wherehashas_anyprojectorder by

Actions