T1153 Microsoft Sentinel · KQL

Detect Source in Microsoft Sentinel

Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.

MITRE ATT&CK

Tactic
Execution
Canonical reference
https://attack.mitre.org/techniques/T1153/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousSourcePaths = dynamic([
  "/tmp/", "/dev/shm/", "/var/tmp/", "/run/", "/proc/",
  "/home/", "/root/", "/dev/fd/"
]);
let SuspiciousParents = dynamic([
  "curl", "wget", "python", "python3", "perl", "ruby",
  "php", "nc", "ncat", "socat"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform in ("Linux", "macOS")
| where FileName in ("bash", "sh", "zsh", "dash", "ksh", "fish")
| where ProcessCommandLine has "source " or ProcessCommandLine matches regex @"(?:^|\s)\.\s+[/~]"
| extend SourcedPath = extract(@"source\s+([^\s;|&]+)|(?:^|\s)\.\s+([^\s;|&]+)", 1, ProcessCommandLine)
| extend IsFromTempDir = ProcessCommandLine has_any (SuspiciousSourcePaths)
| extend IsProcessSubstitution = ProcessCommandLine matches regex @"source\s+<\(" or ProcessCommandLine matches regex @"\.\s+<\("
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend IsNonExecutable = ProcessCommandLine matches regex @"source\s+.*\.(txt|log|conf|dat|bak|tmp)" 
or ProcessCommandLine matches regex @"\.\s+.*\.(txt|log|conf|dat|bak|tmp)"
| extend HasBase64Payload = ProcessCommandLine has "base64" and (ProcessCommandLine has "source" or ProcessCommandLine matches regex @"(?:^|\s)\.\s+")
| where IsFromTempDir or IsProcessSubstitution or SuspiciousParent or IsNonExecutable or HasBase64Payload
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SourcedPath,
         IsFromTempDir, IsProcessSubstitution, SuspiciousParent, IsNonExecutable, HasBase64Payload
| sort by Timestamp desc
medium severity medium confidence

Detects suspicious use of the shell source builtin command (and its dot notation equivalent) on Linux and macOS endpoints monitored by Microsoft Defender for Endpoint. Identifies sourcing from world-writable or temporary directories (/tmp, /dev/shm, /var/tmp), process substitution patterns (source <(curl ...)), sourcing initiated by network tools, sourcing of non-script file extensions (evading extension-based controls), and base64-decoded payloads passed via source. Uses DeviceProcessEvents which covers MDE-enrolled Linux and macOS endpoints.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System initialization scripts and package installers legitimately source configuration files from /tmp during installation (e.g., some pip or npm install procedures)
  • Developers and DevOps engineers routinely source virtual environment activation scripts (e.g., source ./venv/bin/activate) which may reside in project directories under /home/
  • Configuration management tools (Ansible, Chef, Puppet) may source scripts during provisioning runs
  • Shell profile management tools (oh-my-zsh, bash-it) source scripts during terminal initialization from home directories
  • CI/CD pipeline agents sourcing build environment scripts from workspace directories that may match /home/ path patterns
Download portable Sigma rule (.yml)

Other platforms for T1153

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Non-Executable Script via source

    Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.

  2. Test 2Source via Dot Notation from /dev/shm

    Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.

  3. Test 3Fileless Execution via Process Substitution with source

    Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.

  4. Test 4Load Malicious Shell Function via source

    Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.004Unix ShellT1546.004Unix Shell Configuration ModificationT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1053.003CronT1055Process InjectionT1070.003Clear Command HistoryT1552.001Credentials In FilesT1574.006Dynamic Linker Hijacking

Same Tactic: Execution

Popular Detections