Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).[1][2]
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.[3][4][5][6]
| ID | Name | Description |
|---|---|---|
| S0396 | EvilBunny | |
| S0428 | PoetRAT |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.[7] |
| S0125 | Remsec |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Inventory systems for unauthorized Lua installations. |
| M1038 | Execution Prevention |
Denylist Lua interpreters where appropriate. |
| M1033 | Limit Software Installation |
Prevent users from installing Lua where not required. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors such as using |
| DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |