1. Home
  2. Techniques
  3. Enterprise
  4. Command and Scripting Interpreter
  5. Lua

Command and Scripting Interpreter: Lua

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI
T1059.009 Cloud API
T1059.010 AutoHotKey & AutoIT
T1059.011 Lua
T1059.012 Hypervisor CLI
T1059.013 Container CLI/API

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).[1][2]

Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.[3][4][5][6]

ID: T1059.011
Sub-technique of:  T1059
Tactic: Execution
Platforms: Linux, Network Devices, Windows, macOS
Version: 1.1
Created: 05 August 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S0396 EvilBunny

EvilBunny has used Lua scripts to execute payloads.[5]
S1188 Line Runner

Line Runner utilizes Lua scripts for command execution.[7][8]
S0428 PoetRAT

PoetRAT has executed a Lua script through a Lua interpreter for Windows.[9]
S1240 RedLine Stealer

RedLine Stealer malware has leveraged Lua bytecode to perform malicious behavior.[10]
S0125 Remsec

Remsec can use modules written in Lua for execution.[6]

Mitigations

ID Mitigation Description
M1047 Audit

Inventory systems for unauthorized Lua installations.
M1038 Execution Prevention

Denylist Lua interpreters where appropriate.
M1033 Limit Software Installation

Prevent users from installing Lua where not required.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0101 Detection Strategy for Lua Scripting Abuse AN0278

Detects execution of Lua interpreters or scripts (.lua), especially when correlated with suspicious parent processes or file drop events, indicating malicious use of embedded scripting.
AN0279

Detects invocation of lua or luajit interpreters by users or services outside of expected packages, chained with script drop or memory artifacts.
AN0280

Detects Lua script execution via native or 3rd party interpreters, chained with unsigned binaries or unexpected parent lineage.
AN0281

Detects embedded Lua interpreter execution or script injection on devices supporting Lua scripting (e.g., routers, firewalls), often seen in modified firmware or abused APIs.

References

  1. Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
  2. Lua. (n.d.). lua_State. Retrieved August 5, 2024.
  3. Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.
  4. Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Retrieved August 5, 2024.
  5. Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024.
  1. Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
  2. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  3. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  4. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  5. Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025.