Detect Source in CrowdStrike LogScale
Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.
MITRE ATT&CK
- Tactic
- Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1153/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /\/(bash|sh|zsh|dash|ksh|fish)$/
| CommandLine = /source\s+\/|(?:^|\s)\.\s+[\/~]/
| IsFromTempDir := if(match(CommandLine, regex="source\\s+/(tmp|dev/shm|var/tmp|run)/") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| IsProcessSubstitution := if(match(CommandLine, regex="source\\s+<\\(") OR match(CommandLine, regex="(?:^|\\s)\\.\\s+<\\("), 1, 0)
| IsNonExecutable := if(match(CommandLine, regex="(?i)source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR match(CommandLine, regex="(?i)(?:^|\\s)\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| HasBase64 := if(match(CommandLine, regex="base64") AND match(CommandLine, regex="source "), 1, 0)
| SuspiciousParent := if(match(ParentBaseFileName, regex="(?i)^(curl|wget|python3?|perl|ruby|php|ncat?|socat)$"), 1, 0)
| SuspicionScore := IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore])
| sort(SuspicionScore, order=desc)CrowdStrike LogScale (Falcon) query against ProcessRollup2 events targeting shell interpreter executions that contain source or dot-space invocations. Evaluates five weighted indicators — suspicious path, process substitution, non-executable extension, base64 payload, and network utility parent — and ranks results by composite suspicion score to prioritise analyst review.
Data Sources
Required Tables
False Positives & Tuning
- Software deployment pipelines running on Linux Falcon-protected hosts that use shell wrappers to source environment files from /tmp before invoking build steps
- Security tooling (OSSEC, Wazuh agents) that source temporary configuration fragments during live rule reloads without restarting the agent process
- Data science environments where Jupyter or Conda activation scripts source shell functions from /var/tmp or home directories as part of virtual environment setup
Other platforms for T1153
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Non-Executable Script via source
Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.
- Test 2Source via Dot Notation from /dev/shm
Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.
- Test 3Fileless Execution via Process Substitution with source
Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.
- Test 4Load Malicious Shell Function via source
Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.
References (8)
- https://attack.mitre.org/techniques/T1153/
- https://ss64.com/bash/source.html
- https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1153/T1153.md
- https://linux.die.net/man/8/auditd
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.cyberciti.biz/faq/bash-source-command/
- https://learn.microsoft.com/en-us/defender-endpoint/linux-support-events
Unlock Pro Content
Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.