Detect Source in Google Chronicle
Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.
MITRE ATT&CK
- Tactic
- Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1153/
YARA-L Detection Query
rule shell_source_command_suspicious_execution {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious shell source or dot-notation execution targeting world-writable paths, process substitution, non-executable files, or base64 payloads on Linux/macOS"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "T1153"
mitre_attack_technique_name = "Source"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path = /\/(bash|sh|zsh|dash|ksh|fish)$/
(
$e.target.process.command_line = /source\s+\// or
$e.target.process.command_line = /(?:^|\s)\.\s+[\/~]/
)
(
$e.target.process.command_line = /source\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
$e.target.process.command_line = /(?:^|\s)\.\s+\/(tmp|dev\/shm|var\/tmp|run)\// or
$e.target.process.command_line = /source\s+<\(/ or
$e.target.process.command_line = /(?:^|\s)\.\s+<\(/ or
$e.target.process.command_line = /source\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
$e.target.process.command_line = /(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)/ or
(
$e.target.process.command_line = /base64/ and
$e.target.process.command_line = /source /
) or
$e.principal.process.file.full_path = /\/(curl|wget|python3?|perl|ruby|php|ncat?|socat)$/
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting shell source command abuse via UDM PROCESS_LAUNCH events. Matches target process command lines where a shell interpreter is invoked with source or dot-notation against suspicious paths (/tmp, /dev/shm, /var/tmp, /run), process substitutions, non-executable file extensions, base64 payloads, or where the initiating parent is a network utility such as curl or wget.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate infrastructure automation (Terraform provisioners, cloud-init) that stages and sources shell scripts in /tmp during instance bootstrap
- Developer environment setup scripts (nvm, rbenv, pyenv) that source shell initialisation fragments from non-.sh files located in home or temp directories
- Container orchestration sidecars (Vault Agent, Consul Template) that render secrets to /dev/shm and source them via shell wrappers to avoid disk persistence
Other platforms for T1153
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Non-Executable Script via source
Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.
- Test 2Source via Dot Notation from /dev/shm
Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.
- Test 3Fileless Execution via Process Substitution with source
Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.
- Test 4Load Malicious Shell Function via source
Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.
References (8)
- https://attack.mitre.org/techniques/T1153/
- https://ss64.com/bash/source.html
- https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1153/T1153.md
- https://linux.die.net/man/8/auditd
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.cyberciti.biz/faq/bash-source-command/
- https://learn.microsoft.com/en-us/defender-endpoint/linux-support-events
Unlock Pro Content
Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.