Skip to content

Latest commit

 

History

History
57 lines (29 loc) · 1.67 KB

T1153.md

File metadata and controls

57 lines (29 loc) · 1.67 KB

T1153 - Source

The source command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways source /path/to/filename [arguments] or . /path/to/filename [arguments]. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment.(Citation: Source Manual)

Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.

Atomic Tests


Atomic Test #1 - Execute Script using Source

Creates a script and executes it using the source command

Supported Platforms: macOS, Linux

Attack Commands: Run with sh!

sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
source /tmp/art.sh


Atomic Test #2 - Execute Script using Source Alias

Creates a script and executes it using the source command's dot alias

Supported Platforms: macOS, Linux

Attack Commands: Run with sh!

sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
. /tmp/art.sh