Description
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state)
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Limit Software InstallationM1033
Prevent users from installing Lua where not required.
AuditM1047
Inventory systems for unauthorized Lua installations.
Execution PreventionM1038
Denylist Lua interpreters where appropriate.
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has used Lua scripts to execute payloads.(Citation: Cyphort EvilBunny) |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can use modules written in Lua for execution.(Citation: Kaspersky Lua) |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) malware has leveraged Lua bytecode to perform malicious behavior.(Citation: McAfee RedLine ... |
| S1188 | Line Runner | Malware | [Line Runner](https://attack.mitre.org/software/S1188) utilizes Lua scripts for command execution.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS Arc... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has executed a Lua script through a Lua interpreter for Windows.(Citation: Talos PoetRAT October 20... |
Related CWE Weaknesses
References
- Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
- Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
- Lua. (n.d.). lua_State. Retrieved August 5, 2024.
- Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024.
- Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.
- Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Retrieved August 5, 2024.
Frequently Asked Questions
What is T1059.011 (Lua)?
T1059.011 is a MITRE ATT&CK technique named 'Lua'. It belongs to the Execution tactic(s). Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the...
How can T1059.011 be detected?
Detection of T1059.011 (Lua) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.011?
There are 3 documented mitigations for T1059.011. Key mitigations include: Limit Software Installation, Audit, Execution Prevention.
Which threat groups use T1059.011?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.