Rule : System Time Manipulation Followed by Git Activity
Defense Evasion Time Change Git
Query
let TimeChange = DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any ("date ", "time ", "Set-Date");
let GitOps = DeviceProcessEvents
| where ProcessCommandLine has_any ("git commit", "git push", "git add", "git config");
TimeChange
| join kind=innerunique GitOps on DeviceId
| where abs(datetime_diff("minute", Timestamp, Timestamp1)) <= 10
| project TimeChangeTime=Timestamp, GitOpTime=Timestamp1, DeviceName, AccountName,
TimeChangeCommand=ProcessCommandLine, GitCommand=ProcessCommandLine1,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeChangeTime descAbout this query
Explanation
This query is designed to detect suspicious behavior on developer computers where the system date or time is altered shortly before or after Git operations like commits or pushes. Such actions could indicate attempts to backdate changes in a Git repository, which is considered a potential anti-forensic tactic.
How the Query Works:
- Identify Time Changes: It looks for processes that change the system date or time using commands like
date,time, orSet-Dateexecuted viacmd.exeorpowershell.exe. - Identify Git Operations: It also searches for Git-related commands such as
git commit,git push,git add, orgit config. - Correlate Events: The query then correlates these two sets of events by matching them on the same device and checks if they occurred within 10 minutes of each other.
- Output: It lists the time of the time change, the Git operation, the device and account involved, and the specific commands used.
Exclusions and Focus:
- The query excludes systems used for legitimate time synchronization testing or approved environments where time manipulation is expected.
- It focuses on developer workstations and build servers to ensure high accuracy in detecting suspicious activity.
Investigation Steps:
- Verify if the device is used by a developer or for continuous integration/continuous deployment (CI/CD).
- Examine the time-change commands to see if they set past dates.
- Look for any immediate Git actions that might indicate an attempt to alter commit history.
- Review any changes made to the repository during the session for hidden or suspicious content.
- Determine if there was a valid reason for changing the system time.
This query is particularly effective when combined with Git commit rewrite activities, providing a strong indication of potential malicious behavior.
Details

Ali Hussein
Released: April 1, 2026
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsGitDeveloperEndpoint
Operators
letin~has_anyjoin kind=inneruniqueonwhereabsdatetime_diff<=projectorder bydesc