Rule : Suspicious Git Commit Rewrite with Verification Bypass
Execution Git Commit Amend No Verify
Query
DeviceProcessEvents
| where ProcessCommandLine has "git commit --amend"
or (ProcessCommandLine has "git commit" and ProcessCommandLine has "--amend")
| extend HasNoVerify = iff(ProcessCommandLine has "--no-verify", "Yes", "No")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
FolderPath, SHA1, HasNoVerify, InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp descAbout this query
Explanation
This query is designed to detect potentially suspicious activity in Git repositories. Specifically, it looks for instances where a user modifies the most recent commit using the git commit --amend command while bypassing verification checks with the --no-verify option. This behavior might be used to alter repository contents while maintaining the appearance of legitimate development activity.
Key Points:
- Detection Criteria: The query identifies Git commands that include
git commit --amendand checks if they also use the--no-verifyoption. - Data Source: It uses the
DeviceProcessEventstable to find relevant process events. - Output: The query outputs details such as the timestamp, device name, account name, file name, command line used, and whether the
--no-verifyoption was present. - Ordering: Results are sorted by the timestamp in descending order, showing the most recent events first.
Handling False Positives:
- Exclude known and approved systems or accounts that regularly perform such operations for legitimate reasons.
- Allowlist internal automation processes that amend commits in test environments.
Investigation Steps:
- Examine the full command line for the presence of
--no-verifyand--amend. - Check if the user also executed
git push -for altered Git identity settings. - Look for nearby file changes, especially in configuration files or hidden scripts.
- Determine the importance of the affected repository and branch.
- Identify if the activity came from a developer's machine, a build server, or an administrative system.
Additional Notes:
- Activities followed by force-pushes or changes in system time or Git user identity are particularly concerning and warrant further investigation.
Details

Ali Hussein
Released: April 1, 2026
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents
Operators
wherehasorextendiffprojectorder bydesc