Which SIEM platforms have a T1153 detection rule?

df00tech provides T1153 (Source) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1153 detection?

The T1153 detection is rated medium severity with medium confidence.

What are common false positives for T1153?

Common false positives for T1153 include: System initialization scripts and package installers legitimately source configuration files from /tmp during installation (e.g., some pip or npm install procedures); Developers and DevOps engineers routinely source virtual environment activation scripts (e.g., source ./venv/bin/activate) which may reside in project directories under /home/; Configuration management tools (Ansible, Chef, Puppet) may source scripts during provisioning runs.

T1153

Source

Q: What data sources are required to detect Source (T1153)?

Detecting Source requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint (Linux/macOS).

Execution Last updated: April 18, 2026

Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.

What is T1153 Source?

Source (T1153) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Source, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint (Linux/macOS). The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Canonical reference: https://attack.mitre.org/techniques/T1153/

Microsoft Sentinel / Defender

kusto

let SuspiciousSourcePaths = dynamic([
  "/tmp/", "/dev/shm/", "/var/tmp/", "/run/", "/proc/",
  "/home/", "/root/", "/dev/fd/"
]);
let SuspiciousParents = dynamic([
  "curl", "wget", "python", "python3", "perl", "ruby",
  "php", "nc", "ncat", "socat"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform in ("Linux", "macOS")
| where FileName in ("bash", "sh", "zsh", "dash", "ksh", "fish")
| where ProcessCommandLine has "source " or ProcessCommandLine matches regex @"(?:^|\s)\.\s+[/~]"
| extend SourcedPath = extract(@"source\s+([^\s;|&]+)|(?:^|\s)\.\s+([^\s;|&]+)", 1, ProcessCommandLine)
| extend IsFromTempDir = ProcessCommandLine has_any (SuspiciousSourcePaths)
| extend IsProcessSubstitution = ProcessCommandLine matches regex @"source\s+<\(" or ProcessCommandLine matches regex @"\.\s+<\("
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsNonExecutable = ProcessCommandLine matches regex @"source\s+.*\.(txt|log|conf|dat|bak|tmp)" 
or ProcessCommandLine matches regex @"\.\s+.*\.(txt|log|conf|dat|bak|tmp)"
| extend HasBase64Payload = ProcessCommandLine has "base64" and (ProcessCommandLine has "source" or ProcessCommandLine matches regex @"(?:^|\s)\.\s+")
| where IsFromTempDir or IsProcessSubstitution or SuspiciousParent or IsNonExecutable or HasBase64Payload
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SourcedPath,
         IsFromTempDir, IsProcessSubstitution, SuspiciousParent, IsNonExecutable, HasBase64Payload
| sort by Timestamp desc

Detects suspicious use of the shell source builtin command (and its dot notation equivalent) on Linux and macOS endpoints monitored by Microsoft Defender for Endpoint. Identifies sourcing from world-writable or temporary directories (/tmp, /dev/shm, /var/tmp), process substitution patterns (source <(curl ...)), sourcing initiated by network tools, sourcing of non-script file extensions (evading extension-based controls), and base64-decoded payloads passed via source. Uses DeviceProcessEvents which covers MDE-enrolled Linux and macOS endpoints.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents

False Positives

System initialization scripts and package installers legitimately source configuration files from /tmp during installation (e.g., some pip or npm install procedures)
Developers and DevOps engineers routinely source virtual environment activation scripts (e.g., source ./venv/bin/activate) which may reside in project directories under /home/
Configuration management tools (Ansible, Chef, Puppet) may source scripts during provisioning runs
Shell profile management tools (oh-my-zsh, bash-it) source scripts during terminal initialization from home directories
CI/CD pipeline agents sourcing build environment scripts from workspace directories that may match /home/ path patterns

Splunk

spl

index=linux_logs (sourcetype="linux_auditd" OR sourcetype="syslog" OR sourcetype="auditd")
| eval cmdline=coalesce(cmd, command, msg)
| search (cmdline="*source /*" OR cmdline="* . /*" OR cmdline="* . ~/*")
| eval IsFromTempDir=if(match(cmdline, "source\s+/(tmp|dev/shm|var/tmp|run)/|\s\.\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution=if(match(cmdline, "source\s+<\(|\s\.\s+<\("), 1, 0)
| eval IsNonExecutable=if(match(cmdline, "source\s+\S+\.(txt|log|conf|dat|bak|tmp)|\s\.\s+\S+\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64=if(match(cmdline, "base64") AND match(cmdline, "source |\s\.\s"), 1, 0)
| eval SuspiciousParent=if(match(parent_process, "curl|wget|python|python3|perl|ruby|php|nc|ncat|socat"), 1, 0)
| eval SuspicionScore=IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, user, cmdline, parent_process, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort - SuspicionScore, - _time

Detects suspicious use of the shell source builtin on Linux/macOS systems via auditd or syslog telemetry. Evaluates sourced command lines for indicators including sourcing from temp/world-writable paths, process substitution with network tools, non-standard file extensions, base64-decoded payloads, and suspicious parent processes. Assigns a composite suspicion score to aid analyst prioritization.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux auditd / syslog

Required Sourcetypes

linux_auditd syslog auditd

False Positives

Software installers and package managers sourcing temporary scripts during installation workflows
Developers sourcing Python virtual environment activation scripts (e.g., . venv/bin/activate) from project directories
CI/CD agents and build systems sourcing environment setup scripts from workspace paths
Shell plugin managers (oh-my-zsh, prezto) sourcing configuration from home directories at session start
Infrastructure automation tools (Ansible local actions, cloud-init) sourcing configuration scripts during provisioning

Elastic Security (EQL)

eql

process where host.os.type in ("linux", "macos") and
  process.name in ("bash", "sh", "zsh", "dash", "ksh", "fish") and
  (
    process.command_line like~ "*source /*" or
    process.command_line like~ "* . /*" or
    process.command_line like~ "* . ~/*"
  ) and
  (
    process.command_line like~ "*source */tmp/*" or
    process.command_line like~ "*source */dev/shm/*" or
    process.command_line like~ "*source */var/tmp/*" or
    process.command_line like~ "*source */run/*" or
    process.command_line like~ "* . /tmp/*" or
    process.command_line like~ "* . /dev/shm/*" or
    process.command_line like~ "* . /var/tmp/*" or
    process.command_line like~ "*source <(*" or
    process.command_line like~ "*. <(*" or
    process.command_line like~ "*source *.txt*" or
    process.command_line like~ "*source *.log*" or
    process.command_line like~ "*source *.conf*" or
    process.command_line like~ "*source *.bak*" or
    process.command_line like~ "*source *.tmp*" or
    (process.command_line like~ "*base64*" and process.command_line like~ "*source *") or
    process.parent.name in ("curl", "wget", "python", "python3", "perl", "ruby", "php", "nc", "ncat", "socat")
  )

Detects suspicious shell source command or dot notation (. ) abuse on Linux/macOS hosts. Flags sourcing from world-writable paths (/tmp, /dev/shm), process substitution patterns (source <(...)), execution of non-executable file types, base64-encoded payloads, and shells spawned by network utility parents such as curl or wget.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*

False Positives

System administrators sourcing environment setup scripts from /tmp during interactive maintenance or one-off debugging sessions
CI/CD pipeline agents (Jenkins, GitLab Runner) that extract build scripts to /tmp and source them as part of normal job execution
Developer dotfile managers (chezmoi, yadm) that source shell function libraries using non-.sh extensions such as .conf during shell initialisation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Command" AS cmdline,
  "ParentCommandLine" AS parent_process,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
       THEN 1 ELSE 0 END AS IsFromTempDir,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+<\(')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
       THEN 1 ELSE 0 END AS IsProcessSubstitution,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)')
       THEN 1 ELSE 0 END AS IsNonExecutable,
  CASE WHEN "Command" ILIKE '%base64%'
       AND ("Command" ILIKE '%source %' OR "Command" ILIKE '% . %')
       THEN 1 ELSE 0 END AS HasBase64,
  CASE WHEN REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
       THEN 1 ELSE 0 END AS SuspiciousParent
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('LinuxAuditd', 'Linux OS', 'Unix')
  AND (
    "Command" ILIKE '%source /%'
    OR "Command" ILIKE '% . /%'
    OR "Command" ILIKE '% . ~/%'
  )
  AND (
    REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
    OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
    OR REGEXP_MATCH("Command", 'source\s+<\(')
    OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
    OR REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
    OR ("Command" ILIKE '%base64%' AND "Command" ILIKE '%source %')
    OR REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
  )
ORDER BY event_time DESC
LAST 24 HOURS

QRadar AQL rule targeting Linux/Unix auditd log sources for shell source command abuse. Matches execve records where the command field contains source or dot-space invocations pointing at suspicious directories, process substitutions, non-executable file extensions, or base64-encoded payloads. Scores each indicator independently to support tiered alerting.

medium severity medium confidence

Data Sources

Linux Audit Daemon (auditd) Unix syslog QRadar Linux OS log source

Required Tables

events

False Positives

Automated configuration management tools (Ansible, Chef) that stage scripts to /tmp and source them to inject environment variables into the current shell
Container entrypoint scripts that source /tmp-based secrets injected via mounted ConfigMaps or Secrets at container start time
Interactive developer sessions on shared build hosts where sourcing local dotfiles from non-standard paths is routine

Sumo Logic CSE

sql

(_sourceCategory=linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| parse regex "(?:cmd|command|msg|CommandLine)=[\"']?(?P<cmdline>[^\"'\n]+)[\"']?" nodrop
| parse regex "(?:ppid_cmd|parent_process|ParentCommandLine)=[\"']?(?P<parent_proc>[^\"'\n]+)[\"']?" nodrop
| where cmdline matches "*source /*" OR cmdline matches "* . /*" OR cmdline matches "* . ~/*"
| eval IsFromTempDir = if(matches(cmdline, "source\\s+/(tmp|dev/shm|var/tmp|run)/") OR matches(cmdline, "\\s\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution = if(matches(cmdline, "source\\s+<\\(") OR matches(cmdline, "\\s\\.\\s+<\\("), 1, 0)
| eval IsNonExecutable = if(matches(cmdline, "source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR matches(cmdline, "\\s\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64 = if(matches(cmdline, "base64") AND (matches(cmdline, "source ") OR matches(cmdline, " \\. ")), 1, 0)
| eval SuspiciousParent = if(matches(parent_proc, "curl|wget|python3?|perl|ruby|php|ncat?|socat"), 1, 0)
| eval SuspicionScore = IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, cmdline, parent_proc, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

Sumo Logic search targeting Linux auditd and syslog sources for shell source command abuse. Parses command line fields from multiple log formats, evaluates five suspicion indicators (suspicious path, process substitution, non-executable extension, base64 payload, network utility parent), and surfaces events with a non-zero composite score for analyst triage.

medium severity medium confidence

Data Sources

Linux Audit Daemon (auditd) Linux syslog CrowdStrike Falcon syslog forwarder osquery

Required Tables

linux_audit syslog

False Positives

Package installer scripts (pip, npm, brew on macOS) that extract archives to /tmp and source shell wrappers as part of post-install hooks
Penetration testing tools such as Metasploit post-exploitation modules that legitimately generate /tmp payloads in authorised engagements
Security monitoring agents that source configuration fragments from /run or /var/tmp during startup as part of their normal initialisation

Google Chronicle / SecOps

yaral

rule shell_source_command_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious shell source or dot-notation execution targeting world-writable paths, process substitution, non-executable files, or base64 payloads on Linux/macOS"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1153"
    mitre_attack_technique_name = "Source"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /\/(bash|sh|zsh|dash|ksh|fish)$/
    (
      $e.target.process.command_line = /source\s+\// or
      $e.target.process.command_line = /(?:^|\s)\.\s+[\/~]/
    )
    (
      $e.target.process.command_line = /source\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
      $e.target.process.command_line = /(?:^|\s)\.\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
      $e.target.process.command_line = /source\s+<\(/ or
      $e.target.process.command_line = /(?:^|\s)\.\s+<\(/ or
      $e.target.process.command_line = /source\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
      $e.target.process.command_line = /(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
      (
        $e.target.process.command_line = /base64/ and
        $e.target.process.command_line = /source /
      ) or
      $e.principal.process.file.full_path = /\/(curl|wget|python3?|perl|ruby|php|ncat?|socat)$/
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting shell source command abuse via UDM PROCESS_LAUNCH events. Matches target process command lines where a shell interpreter is invoked with source or dot-notation against suspicious paths (/tmp, /dev/shm, /var/tmp, /run), process substitutions, non-executable file extensions, base64 payloads, or where the initiating parent is a network utility such as curl or wget.

medium severity medium confidence

Data Sources

Endpoint Detection and Response (EDR) CrowdStrike Falcon Carbon Black Chronicle forwarder (auditd/syslog)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Legitimate infrastructure automation (Terraform provisioners, cloud-init) that stages and sources shell scripts in /tmp during instance bootstrap
Developer environment setup scripts (nvm, rbenv, pyenv) that source shell initialisation fragments from non-.sh files located in home or temp directories
Container orchestration sidecars (Vault Agent, Consul Template) that render secrets to /dev/shm and source them via shell wrappers to avoid disk persistence

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /\/(bash|sh|zsh|dash|ksh|fish)$/
| CommandLine = /source\s+\/|(?:^|\s)\.\s+[\/~]/
| IsFromTempDir := if(match(CommandLine, regex="source\\s+/(tmp|dev/shm|var/tmp|run)/") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| IsProcessSubstitution := if(match(CommandLine, regex="source\\s+<\\(") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+<\\("), 1, 0)
| IsNonExecutable := if(match(CommandLine, regex="(?i)source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR match(CommandLine, regex="(?i)(?:^|\\s)\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| HasBase64 := if(match(CommandLine, regex="base64") AND match(CommandLine, regex="source "), 1, 0)
| SuspiciousParent := if(match(ParentBaseFileName, regex="(?i)^(curl|wget|python3?|perl|ruby|php|ncat?|socat)$"), 1, 0)
| SuspicionScore := IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore])
| sort(SuspicionScore, order=desc)

CrowdStrike LogScale (Falcon) query against ProcessRollup2 events targeting shell interpreter executions that contain source or dot-space invocations. Evaluates five weighted indicators — suspicious path, process substitution, non-executable extension, base64 payload, and network utility parent — and ranks results by composite suspicion score to prioritise analyst review.

medium severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (Linux/macOS endpoint)

Required Tables

ProcessRollup2

False Positives

Software deployment pipelines running on Linux Falcon-protected hosts that use shell wrappers to source environment files from /tmp before invoking build steps
Security tooling (OSSEC, Wazuh agents) that source temporary configuration fragments during live rule reloads without restarting the agent process
Data science environments where Jupyter or Conda activation scripts source shell functions from /var/tmp or home directories as part of virtual environment setup

Sigma rule & cross-platform mapping

The detection logic for Source (T1153) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1153 Sigma rules on detection.fyi

Platform-specific guides for T1153

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Execute Non-Executable Script via source
Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.
Test 2Source via Dot Notation from /dev/shm
Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.
Test 3Fileless Execution via Process Substitution with source
Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.
Test 4Load Malicious Shell Function via source
Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Source

What is T1153 Source?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1153

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1153 Source?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1153

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox