Detect Source in Sumo Logic CSE
Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence.
MITRE ATT&CK
- Tactic
- Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1153/
Sumo Detection Query
(_sourceCategory=linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| parse regex "(?:cmd|command|msg|CommandLine)=[\"']?(?P<cmdline>[^\"'\n]+)[\"']?" nodrop
| parse regex "(?:ppid_cmd|parent_process|ParentCommandLine)=[\"']?(?P<parent_proc>[^\"'\n]+)[\"']?" nodrop
| where cmdline matches "*source /*" OR cmdline matches "* . /*" OR cmdline matches "* . ~/*"
| eval IsFromTempDir = if(matches(cmdline, "source\\s+/(tmp|dev/shm|var/tmp|run)/") OR matches(cmdline, "\\s\\.\\s+/(tmp|dev/shm|var/tmp|run)/"), 1, 0)
| eval IsProcessSubstitution = if(matches(cmdline, "source\\s+<\\(") OR matches(cmdline, "\\s\\.\\s+<\\("), 1, 0)
| eval IsNonExecutable = if(matches(cmdline, "source\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)") OR matches(cmdline, "\\s\\.\\s+\\S+\\.(txt|log|conf|dat|bak|tmp)"), 1, 0)
| eval HasBase64 = if(matches(cmdline, "base64") AND (matches(cmdline, "source ") OR matches(cmdline, " \\. ")), 1, 0)
| eval SuspiciousParent = if(matches(parent_proc, "curl|wget|python3?|perl|ruby|php|ncat?|socat"), 1, 0)
| eval SuspicionScore = IsFromTempDir + IsProcessSubstitution + IsNonExecutable + HasBase64 + SuspiciousParent
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, cmdline, parent_proc, IsFromTempDir, IsProcessSubstitution, IsNonExecutable, HasBase64, SuspiciousParent, SuspicionScore
| sort by SuspicionScore desc, _messageTime descSumo Logic search targeting Linux auditd and syslog sources for shell source command abuse. Parses command line fields from multiple log formats, evaluates five suspicion indicators (suspicious path, process substitution, non-executable extension, base64 payload, network utility parent), and surfaces events with a non-zero composite score for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Package installer scripts (pip, npm, brew on macOS) that extract archives to /tmp and source shell wrappers as part of post-install hooks
- Penetration testing tools such as Metasploit post-exploitation modules that legitimately generate /tmp payloads in authorised engagements
- Security monitoring agents that source configuration fragments from /run or /var/tmp during startup as part of their normal initialisation
Other platforms for T1153
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Non-Executable Script via source
Expected signal: auditd EXECVE record for bash with argument array including 'source /tmp/argus_payload.sh'. DeviceProcessEvents (MDE Linux): ProcessCommandLine containing 'source /tmp/argus_payload.sh', FileName=bash. File creation event for /tmp/argus_source_test.txt. The file permission check (644, no execute bit) is visible in the stat output confirming the bypass.
- Test 2Source via Dot Notation from /dev/shm
Expected signal: auditd EXECVE record: argument array for sh/bash containing '. /dev/shm/argus_stage.sh'. DeviceProcessEvents: ProcessCommandLine containing '. /dev/shm/argus_stage.sh'. File creation events for both the staged script in /dev/shm and the output file in /tmp.
- Test 3Fileless Execution via Process Substitution with source
Expected signal: auditd EXECVE record: bash with argument containing 'source <(echo ...)'. DeviceProcessEvents: ProcessCommandLine matching process substitution pattern. This is a fileless execution — no script file is created on disk, making file-based detections ineffective. The only durable telemetry is process creation and command line logging.
- Test 4Load Malicious Shell Function via source
Expected signal: auditd EXECVE records: (1) bash executing 'source /tmp/argus_func_payload.sh', (2) bash executing 'argus_backdoor test_argument' as a shell builtin invocation. DeviceProcessEvents: ProcessCommandLine showing both the source invocation and function call. Note that shell function calls may not generate separate process creation events since they execute in the current shell context — this is a key detection gap for function-based payloads.
References (8)
- https://attack.mitre.org/techniques/T1153/
- https://ss64.com/bash/source.html
- https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1153/T1153.md
- https://linux.die.net/man/8/auditd
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://www.cyberciti.biz/faq/bash-source-command/
- https://learn.microsoft.com/en-us/defender-endpoint/linux-support-events
Unlock Pro Content
Get the full detection package for T1153 including response playbook, investigation guide, and atomic red team tests.