Register to stream ATT&CKcon 2.0 October 29-30

Source

The source command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways source /path/to/filename [arguments] or . /path/to/filename [arguments]. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment.

Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.

ID: T1153
Tactic: Execution
Platform: Linux, macOS
Permissions Required: User
Data Sources: Process monitoring, File monitoring, Process command-line parameters
Version: 1.0

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor for command shell execution of source and subsequent processes that are started as a result of being executed by a source command. Adversaries must also drop a file to disk in order to execute it with source, and these files can also detected by file monitoring.