T1153 Elastic Security · Elastic

Detect Source in Elastic Security

Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.

MITRE ATT&CK

Tactic
Execution
Canonical reference
https://attack.mitre.org/techniques/T1153/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where host.os.type in ("linux", "macos") and
  process.name in ("bash", "sh", "zsh", "dash", "ksh", "fish") and
  (
    process.command_line like~ "*source /*" or
    process.command_line like~ "* . /*" or
    process.command_line like~ "* . ~/*"
  ) and
  (
    process.command_line like~ "*source */tmp/*" or
    process.command_line like~ "*source */dev/shm/*" or
    process.command_line like~ "*source */var/tmp/*" or
    process.command_line like~ "*source */run/*" or
    process.command_line like~ "* . /tmp/*" or
    process.command_line like~ "* . /dev/shm/*" or
    process.command_line like~ "* . /var/tmp/*" or
    process.command_line like~ "*source <(*" or
    process.command_line like~ "*. <(*" or
    process.command_line like~ "*source *.txt*" or
    process.command_line like~ "*source *.log*" or
    process.command_line like~ "*source *.conf*" or
    process.command_line like~ "*source *.bak*" or
    process.command_line like~ "*source *.tmp*" or
    (process.command_line like~ "*base64*" and process.command_line like~ "*source *") or
    process.parent.name in ("curl", "wget", "python", "python3", "perl", "ruby", "php", "nc", "ncat", "socat")
  )
medium severity medium confidence

Detects suspicious shell source command or dot notation (. ) abuse on Linux/macOS hosts. Flags sourcing from world-writable paths (/tmp, /dev/shm), process substitution patterns (source <(...)), execution of non-executable file types, base64-encoded payloads, and shells spawned by network utility parents such as curl or wget.

Data Sources

Elastic Endpoint SecurityElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*

False Positives & Tuning

  • System administrators sourcing environment setup scripts from /tmp during interactive maintenance or one-off debugging sessions
  • CI/CD pipeline agents (Jenkins, GitLab Runner) that extract build scripts to /tmp and source them as part of normal job execution
  • Developer dotfile managers (chezmoi, yadm) that source shell function libraries using non-.sh extensions such as .conf during shell initialisation
Download portable Sigma rule (.yml)

Other platforms for T1153

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Non-Executable Script via source

    Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.

  2. Test 2Source via Dot Notation from /dev/shm

    Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.

  3. Test 3Fileless Execution via Process Substitution with source

    Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.

  4. Test 4Load Malicious Shell Function via source

    Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.004Unix ShellT1546.004Unix Shell Configuration ModificationT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1053.003CronT1055Process InjectionT1070.003Clear Command HistoryT1552.001Credentials In FilesT1574.006Dynamic Linker Hijacking

Same Tactic: Execution

Popular Detections