Defense Evasion Time Change Git

# Rule : System Time Manipulation Followed by Git Activity ## Description Detects potential anti-forensic behavior where local date or time is changed before or near Git commit or push operations. This pattern is highly suspicious on developer endpoints and can indicate backdating of malicious repository changes. ## Detection Logic This detection correlates: - `date`, `time`, or `Set-Date` - nearby `git commit`, `git push`, `git add`, or `git config` ## Relevant Tables - `DeviceProcessEvents` ## Search Query ```kql let TimeChange = DeviceProcessEvents | where FileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe") | where ProcessCommandLine has_any ("date ", "time ", "Set-Date"); let GitOps = DeviceProcessEvents | where ProcessCommandLine has_any ("git commit", "git push", "git add", "git config"); TimeChange | join kind=innerunique GitOps on DeviceId | where abs(datetime_diff("minute", Timestamp, Timestamp1)) <= 10 | project TimeChangeTime=Timestamp, GitOpTime=Timestamp1, DeviceName, AccountName, TimeChangeCommand=ProcessCommandLine, GitCommand=ProcessCommandLine1, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeChangeTime desc ``` ## False Positive Tuning - Exclude IT administration systems used for time synchronization testing. - Exclude approved lab environments where system time is intentionally manipulated. - Focus on developer workstations and build hosts for highest fidelity. ## Triage Steps 1. Confirm whether the device is a developer endpoint or CI/CD host. 2. Review exact time-change commands and whether they set explicit historical values. 3. Check for immediate commit amendment, force push, or author identity changes after the time change. 4. Review repository modifications in the same session for hidden execution content or suspicious assets. 5. Confirm whether the user had a legitimate administrative reason to alter local time. ## Investigation Notes - Very strong signal when paired with Git commit rewrite activity.

Explanation

This query is designed to detect suspicious behavior on developer computers where the system date or time is altered shortly before or after Git operations like commits or pushes. Such actions could indicate attempts to backdate changes in a Git repository, which is considered a potential anti-forensic tactic.

How the Query Works:

Identify Time Changes: It looks for processes that change the system date or time using commands like date, time, or Set-Date executed via cmd.exe or powershell.exe.
Identify Git Operations: It also searches for Git-related commands such as git commit, git push, git add, or git config.
Correlate Events: The query then correlates these two sets of events by matching them on the same device and checks if they occurred within 10 minutes of each other.
Output: It lists the time of the time change, the Git operation, the device and account involved, and the specific commands used.

Exclusions and Focus:

The query excludes systems used for legitimate time synchronization testing or approved environments where time manipulation is expected.
It focuses on developer workstations and build servers to ensure high accuracy in detecting suspicious activity.

Investigation Steps:

Verify if the device is used by a developer or for continuous integration/continuous deployment (CI/CD).
Examine the time-change commands to see if they set past dates.
Look for any immediate Git actions that might indicate an attempt to alter commit history.
Review any changes made to the repository during the session for hidden or suspicious content.
Determine if there was a valid reason for changing the system time.

This query is particularly effective when combined with Git commit rewrite activities, providing a strong indication of potential malicious behavior.

KQL Search