T1153 Source Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousSourcePaths = dynamic([
  "/tmp/", "/dev/shm/", "/var/tmp/", "/run/", "/proc/",
  "/home/", "/root/", "/dev/fd/"
]);
let SuspiciousParents = dynamic([
  "curl", "wget", "python", "python3", "perl", "ruby",
  "php", "nc", "ncat", "socat"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform in ("Linux", "macOS")
| where FileName in ("bash", "sh", "zsh", "dash", "ksh", "fish")
| where ProcessCommandLine has "source " or ProcessCommandLine matches regex @"(?:^|\s)\.\s+[/~]"
| extend SourcedPath = extract(@"source\s+([^\s;|&]+)|(?:^|\s)\.\s+([^\s;|&]+)", 1, ProcessCommandLine)
| extend IsFromTempDir = ProcessCommandLine has_any (SuspiciousSourcePaths)
| extend IsProcessSubstitution = ProcessCommandLine matches regex @"source\s+<\(" or ProcessCommandLine matches regex @"\.\s+<\("
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsNonExecutable = ProcessCommandLine matches regex @"source\s+.*\.(txt|log|conf|dat|bak|tmp)" 
or ProcessCommandLine matches regex @"\.\s+.*\.(txt|log|conf|dat|bak|tmp)"
| extend HasBase64Payload = ProcessCommandLine has "base64" and (ProcessCommandLine has "source" or ProcessCommandLine matches regex @"(?:^|\s)\.\s+")
| where IsFromTempDir or IsProcessSubstitution or SuspiciousParent or IsNonExecutable or HasBase64Payload
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SourcedPath,
         IsFromTempDir, IsProcessSubstitution, SuspiciousParent, IsNonExecutable, HasBase64Payload
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents

False Positives

System initialization scripts and package installers legitimately source configuration files from /tmp during installation (e.g., some pip or npm install procedures)
Developers and DevOps engineers routinely source virtual environment activation scripts (e.g., source ./venv/bin/activate) which may reside in project directories under /home/
Configuration management tools (Ansible, Chef, Puppet) may source scripts during provisioning runs
Shell profile management tools (oh-my-zsh, bash-it) source scripts during terminal initialization from home directories
CI/CD pipeline agents sourcing build environment scripts from workspace directories that may match /home/ path patterns

Splunk

spl

index=linux_logs (sourcetype="linux_auditd" OR sourcetype="syslog" OR sourcetype="auditd")
| eval cmdline=coalesce(cmd, command, msg)
| search (cmdline="*source /*" OR cmdline="* . /*" OR cmdline="* . ~/*")
| eval IsFromTempDir=if(match(cmdline, "source\s+/(tmp|dev/shm|var/tmp|run)/|\s\.\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution=if(match(cmdline, "source\s+<\(|\s\.\s+<\("), 1, 0)
| eval IsNonExecutable=if(match(cmdline, "source\s+\S+\.(txt|log|conf|dat|bak|tmp)|\s\.\s+\S+\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64=if(match(cmdline, "base64") AND match(cmdline, "source |\s\.\s"), 1, 0)
| eval SuspiciousParent=if(match(parent_process, "curl|wget|python|python3|perl|ruby|php|nc|ncat|socat"), 1, 0)
| eval SuspicionScore=IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, user, cmdline, parent_process, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort - SuspicionScore, - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Linux auditd / syslog

Required Sourcetypes

linux_auditd syslog auditd

False Positives

Software installers and package managers sourcing temporary scripts during installation workflows
Developers sourcing Python virtual environment activation scripts (e.g., . venv/bin/activate) from project directories
CI/CD agents and build systems sourcing environment setup scripts from workspace paths
Shell plugin managers (oh-my-zsh, prezto) sourcing configuration from home directories at session start
Infrastructure automation tools (Ansible local actions, cloud-init) sourcing configuration scripts during provisioning

Elastic Security (EQL)

eql

process where host.os.type in ("linux", "macos") and
  process.name in ("bash", "sh", "zsh", "dash", "ksh", "fish") and
  (
    process.command_line like~ "*source /*" or
    process.command_line like~ "* . /*" or
    process.command_line like~ "* . ~/*"
  ) and
  (
    process.command_line like~ "*source */tmp/*" or
    process.command_line like~ "*source */dev/shm/*" or
    process.command_line like~ "*source */var/tmp/*" or
    process.command_line like~ "*source */run/*" or
    process.command_line like~ "* . /tmp/*" or
    process.command_line like~ "* . /dev/shm/*" or
    process.command_line like~ "* . /var/tmp/*" or
    process.command_line like~ "*source <(*" or
    process.command_line like~ "*. <(*" or
    process.command_line like~ "*source *.txt*" or
    process.command_line like~ "*source *.log*" or
    process.command_line like~ "*source *.conf*" or
    process.command_line like~ "*source *.bak*" or
    process.command_line like~ "*source *.tmp*" or
    (process.command_line like~ "*base64*" and process.command_line like~ "*source *") or
    process.parent.name in ("curl", "wget", "python", "python3", "perl", "ruby", "php", "nc", "ncat", "socat")
  )

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*

False Positives

System administrators sourcing environment setup scripts from /tmp during interactive maintenance or one-off debugging sessions
CI/CD pipeline agents (Jenkins, GitLab Runner) that extract build scripts to /tmp and source them as part of normal job execution
Developer dotfile managers (chezmoi, yadm) that source shell function libraries using non-.sh extensions such as .conf during shell initialisation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Command" AS cmdline,
  "ParentCommandLine" AS parent_process,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
       THEN 1 ELSE 0 END AS IsFromTempDir,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+<\(')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
       THEN 1 ELSE 0 END AS IsProcessSubstitution,
  CASE WHEN REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
       OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)')
       THEN 1 ELSE 0 END AS IsNonExecutable,
  CASE WHEN "Command" ILIKE '%base64%'
       AND ("Command" ILIKE '%source %' OR "Command" ILIKE '% . %')
       THEN 1 ELSE 0 END AS HasBase64,
  CASE WHEN REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
       THEN 1 ELSE 0 END AS SuspiciousParent
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('LinuxAuditd', 'Linux OS', 'Unix')
  AND (
    "Command" ILIKE '%source /%'
    OR "Command" ILIKE '% . /%'
    OR "Command" ILIKE '% . ~/%'
  )
  AND (
    REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
    OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
    OR REGEXP_MATCH("Command", 'source\s+<\(')
    OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
    OR REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
    OR ("Command" ILIKE '%base64%' AND "Command" ILIKE '%source %')
    OR REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
  )
ORDER BY event_time DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Linux Audit Daemon (auditd) Unix syslog QRadar Linux OS log source

Required Tables

events

False Positives

Automated configuration management tools (Ansible, Chef) that stage scripts to /tmp and source them to inject environment variables into the current shell
Container entrypoint scripts that source /tmp-based secrets injected via mounted ConfigMaps or Secrets at container start time
Interactive developer sessions on shared build hosts where sourcing local dotfiles from non-standard paths is routine

Sumo Logic CSE

sql

(_sourceCategory=linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| parse regex "(?:cmd|command|msg|CommandLine)=[\"']?(?P<cmdline>[^\"'\n]+)[\"']?" nodrop
| parse regex "(?:ppid_cmd|parent_process|ParentCommandLine)=[\"']?(?P<parent_proc>[^\"'\n]+)[\"']?" nodrop
| where cmdline matches "*source /*" OR cmdline matches "* . /*" OR cmdline matches "* . ~/*"
| eval IsFromTempDir = if(matches(cmdline, "source\\s+/(tmp|dev/shm|var/tmp|run)/") OR matches(cmdline, "\\s\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution = if(matches(cmdline, "source\\s+<\\(") OR matches(cmdline, "\\s\\.\\s+<\\("), 1, 0)
| eval IsNonExecutable = if(matches(cmdline, "source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR matches(cmdline, "\\s\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64 = if(matches(cmdline, "base64") AND (matches(cmdline, "source ") OR matches(cmdline, " \\. ")), 1, 0)
| eval SuspiciousParent = if(matches(parent_proc, "curl|wget|python3?|perl|ruby|php|ncat?|socat"), 1, 0)
| eval SuspicionScore = IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, cmdline, parent_proc, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

medium severity medium confidence

Data Sources

Linux Audit Daemon (auditd) Linux syslog CrowdStrike Falcon syslog forwarder osquery

Required Tables

linux_audit syslog

False Positives

Package installer scripts (pip, npm, brew on macOS) that extract archives to /tmp and source shell wrappers as part of post-install hooks
Penetration testing tools such as Metasploit post-exploitation modules that legitimately generate /tmp payloads in authorised engagements
Security monitoring agents that source configuration fragments from /run or /var/tmp during startup as part of their normal initialisation

Google Chronicle / SecOps

yaral

rule shell_source_command_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious shell source or dot-notation execution targeting world-writable paths, process substitution, non-executable files, or base64 payloads on Linux/macOS"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1153"
    mitre_attack_technique_name = "Source"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /\/(bash|sh|zsh|dash|ksh|fish)$/
    (
      $e.target.process.command_line = /source\s+\// or
      $e.target.process.command_line = /(?:^|\s)\.\s+[\/~]/
    )
    (
      $e.target.process.command_line = /source\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
      $e.target.process.command_line = /(?:^|\s)\.\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
      $e.target.process.command_line = /source\s+<\(/ or
      $e.target.process.command_line = /(?:^|\s)\.\s+<\(/ or
      $e.target.process.command_line = /source\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
      $e.target.process.command_line = /(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
      (
        $e.target.process.command_line = /base64/ and
        $e.target.process.command_line = /source /
      ) or
      $e.principal.process.file.full_path = /\/(curl|wget|python3?|perl|ruby|php|ncat?|socat)$/
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Endpoint Detection and Response (EDR) CrowdStrike Falcon Carbon Black Chronicle forwarder (auditd/syslog)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Legitimate infrastructure automation (Terraform provisioners, cloud-init) that stages and sources shell scripts in /tmp during instance bootstrap
Developer environment setup scripts (nvm, rbenv, pyenv) that source shell initialisation fragments from non-.sh files located in home or temp directories
Container orchestration sidecars (Vault Agent, Consul Template) that render secrets to /dev/shm and source them via shell wrappers to avoid disk persistence

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /\/(bash|sh|zsh|dash|ksh|fish)$/
| CommandLine = /source\s+\/|(?:^|\s)\.\s+[\/~]/
| IsFromTempDir := if(match(CommandLine, regex="source\\s+/(tmp|dev/shm|var/tmp|run)/") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| IsProcessSubstitution := if(match(CommandLine, regex="source\\s+<\\(") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+<\\("), 1, 0)
| IsNonExecutable := if(match(CommandLine, regex="(?i)source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR match(CommandLine, regex="(?i)(?:^|\\s)\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| HasBase64 := if(match(CommandLine, regex="base64") AND match(CommandLine, regex="source "), 1, 0)
| SuspiciousParent := if(match(ParentBaseFileName, regex="(?i)^(curl|wget|python3?|perl|ruby|php|ncat?|socat)$"), 1, 0)
| SuspicionScore := IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore])
| sort(SuspicionScore, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (Linux/macOS endpoint)

Required Tables

ProcessRollup2

False Positives

Software deployment pipelines running on Linux Falcon-protected hosts that use shell wrappers to source environment files from /tmp before invoking build steps
Security tooling (OSSEC, Wazuh agents) that source temporary configuration fragments during live rule reloads without restarting the agent process
Data science environments where Jupyter or Conda activation scripts source shell functions from /var/tmp or home directories as part of virtual environment setup

Source

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections