title: Source (T1153)
id: df00tech-t1153
status: experimental
description: "Adversaries may abuse the shell built-in source command (or its dot notation equivalent '. ') to execute arbitrary scripts in the current shell context without requiring the target file to be marked executable. This technique is deprecated in ATT&CK but the underlying behavior remains relevant on Linux and macOS systems. The source command can load malicious functions into the current shell session, execute staged payloads from world-writable directories, or run scripts pulled from remote locations via process substitution (e.g., source <(curl ...)). Because the file does not need execute permissions (chmod +x), this technique can bypass permission-based detection controls. Adversaries commonly use this to execute payloads written to /tmp or /dev/shm, load malicious shell functions into memory, or chain with other techniques such as modifying .bashrc or .profile for persistence."
references:
  - https://attack.mitre.org/techniques/T1153/
  - https://df00tech.com/detections/T1153
author: df00tech
date: 2026/04/18
tags:
  - attack.t1153
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System initialization scripts and package installers legitimately source configuration files from /tmp during installation (e.g., some pip or npm install procedures)"
  - "Developers and DevOps engineers routinely source virtual environment activation scripts (e.g., source ./venv/bin/activate) which may reside in project directories under /home/"
  - "Configuration management tools (Ansible, Chef, Puppet) may source scripts during provisioning runs"
  - "Shell profile management tools (oh-my-zsh, bash-it) source scripts during terminal initialization from home directories"
  - CI/CD pipeline agents sourcing build environment scripts from workspace directories that may match /home/ path patterns
level: medium