Detect Source in IBM QRadar
Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.
MITRE ATT&CK
- Tactic
- Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1153/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Command" AS cmdline,
"ParentCommandLine" AS parent_process,
CASE WHEN REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
THEN 1 ELSE 0 END AS IsFromTempDir,
CASE WHEN REGEXP_MATCH("Command", 'source\s+<\(')
OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
THEN 1 ELSE 0 END AS IsProcessSubstitution,
CASE WHEN REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+\S+\.(txt|log|conf|dat|bak|tmp)')
THEN 1 ELSE 0 END AS IsNonExecutable,
CASE WHEN "Command" ILIKE '%base64%'
AND ("Command" ILIKE '%source %' OR "Command" ILIKE '% . %')
THEN 1 ELSE 0 END AS HasBase64,
CASE WHEN REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
THEN 1 ELSE 0 END AS SuspiciousParent
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('LinuxAuditd', 'Linux OS', 'Unix')
AND (
"Command" ILIKE '%source /%'
OR "Command" ILIKE '% . /%'
OR "Command" ILIKE '% . ~/%'
)
AND (
REGEXP_MATCH("Command", 'source\s+/(tmp|dev/shm|var/tmp|run)/')
OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+/(tmp|dev/shm|var/tmp|run)/')
OR REGEXP_MATCH("Command", 'source\s+<\(')
OR REGEXP_MATCH("Command", '(?:^|\s)\.\s+<\(')
OR REGEXP_MATCH("Command", 'source\s+\S+\.(txt|log|conf|dat|bak|tmp)')
OR ("Command" ILIKE '%base64%' AND "Command" ILIKE '%source %')
OR REGEXP_MATCH("ParentCommandLine", '(?i)curl|wget|python3?|perl|ruby|php|ncat?|socat')
)
ORDER BY event_time DESC
LAST 24 HOURSQRadar AQL rule targeting Linux/Unix auditd log sources for shell source command abuse. Matches execve records where the command field contains source or dot-space invocations pointing at suspicious directories, process substitutions, non-executable file extensions, or base64-encoded payloads. Scores each indicator independently to support tiered alerting.
Data Sources
Required Tables
False Positives & Tuning
- Automated configuration management tools (Ansible, Chef) that stage scripts to /tmp and source them to inject environment variables into the current shell
- Container entrypoint scripts that source /tmp-based secrets injected via mounted ConfigMaps or Secrets at container start time
- Interactive developer sessions on shared build hosts where sourcing local dotfiles from non-standard paths is routine
Other platforms for T1153
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Non-Executable Script via source
Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.
- Test 2Source via Dot Notation from /dev/shm
Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.
- Test 3Fileless Execution via Process Substitution with source
Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.
- Test 4Load Malicious Shell Function via source
Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.
References (8)
- https://attack.mitre.org/techniques/T1153/
- https://ss64.com/bash/source.html
- https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1153/T1153.md
- https://linux.die.net/man/8/auditd
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.cyberciti.biz/faq/bash-source-command/
- https://learn.microsoft.com/en-us/defender-endpoint/linux-support-events
Unlock Pro Content
Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.