1. Home
  2. ATT&CK Techniques
  3. T1059.011 Lua

T1059.011 Lua

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)

Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1059.011 Lua
SI-16 Memory Protection mitigates T1059.011 Lua
SI-03 Malicious Code Protection mitigates T1059.011 Lua
SI-07 Software, Firmware, and Information Integrity mitigates T1059.011 Lua
CM-02 Baseline Configuration mitigates T1059.011 Lua
SI-04 System Monitoring mitigates T1059.011 Lua
AC-02 Account Management mitigates T1059.011 Lua
AC-03 Access Enforcement mitigates T1059.011 Lua
AC-06 Least Privilege mitigates T1059.011 Lua

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1059.011 Lua
action.hacking.variety.OS commanding OS commanding. Child of 'Exploit vuln'. related-to T1059.011 Lua
action.hacking.vector.Command shell Remote shell related-to T1059.011 Lua
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1059.011 Lua

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
microsoft_sentinel Microsoft Sentinel technique_scores T1059.011 Lua
Comments
Microsoft Sentinel can potentially detect the use of malicious code, including Lua scripts.
References
  1. https://learn.microsoft.com/en-us/azure/sentinel/overview
  2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1059.011 Lua
Comments
This control can detect supicious usage of commands and scripts.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1059.011 Lua
Comments
Google Security Operations is able to trigger an alert based on suspicious behavior seen in the Windows command line.
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

M365 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1059.011 Lua
Comments
Defender's Advanced Threat Hunting can protect against various types of malware, including those that exploit Lua scripts, by analyzing the behavioral characteristics of the program.
References
  1. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide
  2. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide
  3. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
  4. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide