Command and Scripting Interpreter: Lua

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).[1][2]

Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.[3][4][5][6]

ID: T1059.011
Sub-technique of:  T1059
Tactic: Execution
Platforms: Linux, Network, Windows, macOS
Version: 1.0
Created: 05 August 2024
Last Modified: 01 October 2024

Procedure Examples

ID Name Description
S0396 EvilBunny

EvilBunny has used Lua scripts to execute payloads.[5]

S0428 PoetRAT

PoetRAT has executed a Lua script through a Lua interpreter for Windows.[7]

S0125 Remsec

Remsec can use modules written in Lua for execution.[6]

Mitigations

ID Mitigation Description
M1047 Audit

Inventory systems for unauthorized Lua installations.

M1038 Execution Prevention

Denylist Lua interpreters where appropriate.

M1033 Limit Software Installation

Prevent users from installing Lua where not required.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors such as using os.execute to execute operating system commands.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References