Detects execution of Lua interpreters or scripts (.lua), especially when correlated with suspicious parent processes or file drop events, indicating malicious use of embedded scripting.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| ParentProcessName | May vary depending on delivery vector (e.g., explorer.exe, cmd.exe, rundll32.exe) |
| TimeWindow | Used to correlate file drop and execution of Lua scripts in close succession. |
Detects invocation of lua or luajit interpreters by users or services outside of expected packages, chained with script drop or memory artifacts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Metadata (DC0059) | auditd:SYSCALL | path |
| Field | Description |
|---|---|
| ExecutablePath | Lua interpreter path may vary based on distro or adversary staging. |
| UserContext | May need to exclude service or admin accounts that use Lua legitimately. |
Detects Lua script execution via native or 3rd party interpreters, chained with unsigned binaries or unexpected parent lineage.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | log stream |
| Field | Description |
|---|---|
| ParentProcessName | Adjustable based on system activity patterns (e.g., Terminal vs GUI) |
| SignatureStatus | Helps filter unsigned or self-signed Lua payloads. |
Detects embedded Lua interpreter execution or script injection on devices supporting Lua scripting (e.g., routers, firewalls), often seen in modified firmware or abused APIs.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | networkdevice:runtime | runtime |
| Field | Description |
|---|---|
| FirmwareBuildHash | Used to baseline known good versions versus injected scripts. |
| ScriptInjectionPath | Path to where scripts are allowed or denied based on config. |