T1153 Splunk · SPL

Detect Source in Splunk

Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.

MITRE ATT&CK

Tactic
Execution
Canonical reference
https://attack.mitre.org/techniques/T1153/

SPL Detection Query

Splunk (SPL)
spl 
index=linux_logs (sourcetype="linux_auditd" OR sourcetype="syslog" OR sourcetype="auditd")
| eval cmdline=coalesce(cmd, command, msg)
| search (cmdline="*source /*" OR cmdline="* . /*" OR cmdline="* . ~/*")
| eval IsFromTempDir=if(match(cmdline, "source\s+/(tmp|dev/shm|var/tmp|run)/|\s\.\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution=if(match(cmdline, "source\s+<\(|\s\.\s+<\("), 1, 0)
| eval IsNonExecutable=if(match(cmdline, "source\s+\S+\.(txt|log|conf|dat|bak|tmp)|\s\.\s+\S+\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64=if(match(cmdline, "base64") AND match(cmdline, "source |\s\.\s"), 1, 0)
| eval SuspiciousParent=if(match(parent_process, "curl|wget|python|python3|perl|ruby|php|nc|ncat|socat"), 1, 0)
| eval SuspicionScore=IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, user, cmdline, parent_process, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort - SuspicionScore, - _time
medium severity medium confidence

Detects suspicious use of the shell source builtin on Linux/macOS systems via auditd or syslog telemetry. Evaluates sourced command lines for indicators including sourcing from temp/world-writable paths, process substitution with network tools, non-standard file extensions, base64-decoded payloads, and suspicious parent processes. Assigns a composite suspicion score to aid analyst prioritization.

Data Sources

Process: Process CreationCommand: Command ExecutionLinux auditd / syslog

Required Sourcetypes

linux_auditdsyslogauditd

False Positives & Tuning

  • Software installers and package managers sourcing temporary scripts during installation workflows
  • Developers sourcing Python virtual environment activation scripts (e.g., . venv/bin/activate) from project directories
  • CI/CD agents and build systems sourcing environment setup scripts from workspace paths
  • Shell plugin managers (oh-my-zsh, prezto) sourcing configuration from home directories at session start
  • Infrastructure automation tools (Ansible local actions, cloud-init) sourcing configuration scripts during provisioning
Download portable Sigma rule (.yml)

Other platforms for T1153

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Non-Executable Script via source

    Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.

  2. Test 2Source via Dot Notation from /dev/shm

    Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.

  3. Test 3Fileless Execution via Process Substitution with source

    Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.

  4. Test 4Load Malicious Shell Function via source

    Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.

Last updated: 2026-04-18 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.004Unix ShellT1546.004Unix Shell Configuration ModificationT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1053.003CronT1055Process InjectionT1070.003Clear Command HistoryT1552.001Credentials In FilesT1574.006Dynamic Linker Hijacking

Same Tactic: Execution

Popular Detections