Query Details

Rule : Suspicious Git Commit Rewrite with Verification Bypass

Execution Git Commit Amend No Verify

Query

DeviceProcessEvents
| where ProcessCommandLine has "git commit --amend"
   or (ProcessCommandLine has "git commit" and ProcessCommandLine has "--amend")
| extend HasNoVerify = iff(ProcessCommandLine has "--no-verify", "Yes", "No")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          FolderPath, SHA1, HasNoVerify, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

About this query

Explanation

This query is designed to detect potentially suspicious activity in Git repositories. Specifically, it looks for instances where a user modifies the most recent commit using the git commit --amend command while bypassing verification checks with the --no-verify option. This behavior might be used to alter repository contents while maintaining the appearance of legitimate development activity.

Key Points:

  • Detection Criteria: The query identifies Git commands that include git commit --amend and checks if they also use the --no-verify option.
  • Data Source: It uses the DeviceProcessEvents table to find relevant process events.
  • Output: The query outputs details such as the timestamp, device name, account name, file name, command line used, and whether the --no-verify option was present.
  • Ordering: Results are sorted by the timestamp in descending order, showing the most recent events first.

Handling False Positives:

  • Exclude known and approved systems or accounts that regularly perform such operations for legitimate reasons.
  • Allowlist internal automation processes that amend commits in test environments.

Investigation Steps:

  1. Examine the full command line for the presence of --no-verify and --amend.
  2. Check if the user also executed git push -f or altered Git identity settings.
  3. Look for nearby file changes, especially in configuration files or hidden scripts.
  4. Determine the importance of the affected repository and branch.
  5. Identify if the activity came from a developer's machine, a build server, or an administrative system.

Additional Notes:

  • Activities followed by force-pushes or changes in system time or Git user identity are particularly concerning and warrant further investigation.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 1, 2026

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

wherehasorextendiffprojectorder bydesc

Actions

GitHub