T1059.011 Lua Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LuaPatterns = dynamic([
  "lua.exe", "lua5", "luajit", "luac",
  ".lua", "dofile(", "loadfile(", "loadstring(",
  "require(", "os.execute(", "io.popen(",
  "os.remove(", "os.rename(", "io.open(",
  "socket.tcp", "socket.connect",
  "http.request", "ltn12.pump"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("lua", "luajit", "luac") or ProcessCommandLine has_any (LuaPatterns)
| extend OsExec = ProcessCommandLine has_any ("os.execute(", "io.popen(")
| extend NetworkActivity = ProcessCommandLine has_any ("socket.tcp", "socket.connect", "http.request")
| extend DynamicLoad = ProcessCommandLine has_any ("loadstring(", "loadfile(", "dofile(")
| extend ScriptFromTemp = ProcessCommandLine has_any ("\\Temp\\", "/tmp/", "AppData")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         OsExec, NetworkActivity, DynamicLoad, ScriptFromTemp
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Game engines and applications with embedded Lua scripting (World of Warcraft, Roblox, Redis, Nginx)
Network monitoring tools using Lua for packet inspection (Wireshark, Nmap NSE scripts)
Configuration management tools with Lua-based configurations (OpenResty, Kong API Gateway)

Splunk

spl

(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\lua*.exe" OR CommandLine="*.lua*"))
OR
(index=linux sourcetype="linux:auditd" type=EXECVE (a0="*lua*" OR a1="*.lua"))
| eval cmdline=coalesce(CommandLine, a0." ".a1." ".a2)
| eval OsExec=if(match(cmdline, "(os\.execute|io\.popen)"), 1, 0)
| eval NetworkActivity=if(match(cmdline, "(socket\.tcp|socket\.connect|http\.request)"), 1, 0)
| eval DynamicLoad=if(match(cmdline, "(loadstring|loadfile|dofile)"), 1, 0)
| eval SuspicionScore=OsExec*2 + NetworkActivity*2 + DynamicLoad
| where SuspicionScore > 0
| table _time, host, User, Image, cmdline, ParentImage, OsExec, NetworkActivity, DynamicLoad, SuspicionScore
| sort - SuspicionScore, - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Linux auditd

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux:auditd

False Positives

Game engines and applications with embedded Lua scripting
Network monitoring tools using Lua for packet inspection
Configuration management tools with Lua-based configurations

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   (
     process.name like~ ("lua", "lua.exe", "lua5*", "luajit", "luajit.exe", "luac", "luac.exe") or
     process.args like~ ("*.lua", "*dofile(*", "*loadfile(*", "*loadstring(*", "*os.execute(*", "*io.popen(*", "*socket.tcp*", "*http.request*")
   )
  ] by process.entity_id
  [any where event.category in ("network", "file") and
   (
     (event.category == "network" and network.direction == "egress") or
     (event.category == "file" and file.path like~ ("/tmp/*", "/var/tmp/*", "*\\Temp\\*", "*\\AppData\\*"))
   )
  ] by process.parent.entity_id

// Alternatively, single-event detection:
// process where event.type == "start" and
// (
//   process.name like~ ("lua", "lua.exe", "lua5*", "luajit", "luajit.exe", "luac", "luac.exe") or
//   process.args like~ ("*.lua", "*os.execute(*", "*io.popen(*", "*loadstring(*", "*socket.tcp*", "*http.request*", "*socket.connect*", "*ltn12.pump*")
// ) and
// process.args like~ ("/tmp/*", "*\\Temp\\*", "*\\AppData\\*", "*os.execute(*", "*io.popen(*", "*loadstring(*", "*socket.*", "*http.request*")

medium severity medium confidence

Data Sources

Elastic Endpoint Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* winlogbeat-* auditbeat-*

False Positives

Legitimate embedded Lua use in game engines (e.g., World of Warcraft AddOns, Roblox tooling) or creative tools like Neovim, Hammerspoon, or Awesome WM which use Lua for configuration and plugins
Network monitoring or automation tools such as Wireshark dissectors or NMAP NSE (Nmap Scripting Engine) which execute Lua scripts for legitimate packet analysis
DevOps tooling pipelines where Lua is embedded in CI/CD frameworks, Redis scripting (EVAL with Lua), or OpenResty/Nginx Lua modules during build or test phases

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN "Command" ILIKE '%os.execute%' OR "Command" ILIKE '%io.popen%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%socket.tcp%' OR "Command" ILIKE '%socket.connect%' OR "Command" ILIKE '%http.request%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%loadstring%' OR "Command" ILIKE '%loadfile%' OR "Command" ILIKE '%dofile%' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM log_source_types WHERE name ILIKE '%Sysmon%'
    UNION
    SELECT id FROM log_source_types WHERE name ILIKE '%Windows Security%'
    UNION
    SELECT id FROM log_source_types WHERE name ILIKE '%Linux%'
  )
  AND starttime > NOW() - 86400000
  AND (
    "Process Name" ILIKE '%lua%'
    OR "Process Name" ILIKE '%luajit%'
    OR "Process Name" ILIKE '%luac%'
    OR "Command" ILIKE '%.lua%'
    OR "Command" ILIKE '%dofile(%'
    OR "Command" ILIKE '%loadfile(%'
    OR "Command" ILIKE '%loadstring(%'
    OR "Command" ILIKE '%os.execute(%'
    OR "Command" ILIKE '%io.popen(%'
    OR "Command" ILIKE '%socket.tcp%'
    OR "Command" ILIKE '%socket.connect%'
    OR "Command" ILIKE '%http.request%'
    OR "Command" ILIKE '%ltn12.pump%'
  )
  AND (
    CASE
      WHEN "Command" ILIKE '%os.execute%' OR "Command" ILIKE '%io.popen%' THEN 2
      ELSE 0
    END +
    CASE
      WHEN "Command" ILIKE '%socket.tcp%' OR "Command" ILIKE '%socket.connect%' OR "Command" ILIKE '%http.request%' THEN 2
      ELSE 0
    END +
    CASE
      WHEN "Command" ILIKE '%loadstring%' OR "Command" ILIKE '%loadfile%' OR "Command" ILIKE '%dofile%' THEN 1
      ELSE 0
    END
  ) > 0
ORDER BY suspicion_score DESC, starttime DESC
LIMIT 500

medium severity medium confidence

Data Sources

QRadar SIEM with Windows Sysmon DSM QRadar Linux OS DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Redis EVAL commands executed by application servers using server-side Lua scripting will trigger on lua process references in some logging configurations
OpenResty or Kong API gateway deployments use LuaJIT extensively for routing logic and middleware — these generate high volumes of legitimate Lua execution events
Security research or malware analysis workstations running sandboxed Lua-based samples in controlled environments (e.g., REMnux, FlareVM tooling)

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*linux*auditd* OR _sourceCategory=*endpoint*
| where EventCode = 1 or type = "EXECVE" or EventID = 1
| parse field=CommandLine "*" as cmdline nodrop
| parse field=cmd "*" as cmdline nodrop
| where (
    Image matches "*lua*.exe" or
    Image matches "*luajit*" or
    Image matches "*luac*" or
    cmdline matches "*.lua*" or
    cmdline matches "*dofile(*" or
    cmdline matches "*loadfile(*" or
    cmdline matches "*loadstring(*" or
    cmdline matches "*os.execute(*" or
    cmdline matches "*io.popen(*" or
    cmdline matches "*socket.tcp*" or
    cmdline matches "*socket.connect*" or
    cmdline matches "*http.request*" or
    cmdline matches "*ltn12.pump*" or
    cmdline matches "*io.open(*" or
    cmdline matches "*require(*"
  )
| eval OsExec = if(cmdline matches "*os.execute*" or cmdline matches "*io.popen*", 2, 0)
| eval NetworkActivity = if(cmdline matches "*socket.tcp*" or cmdline matches "*socket.connect*" or cmdline matches "*http.request*", 2, 0)
| eval DynamicLoad = if(cmdline matches "*loadstring*" or cmdline matches "*loadfile*" or cmdline matches "*dofile*", 1, 0)
| eval SuspicionScore = OsExec + NetworkActivity + DynamicLoad
| where SuspicionScore > 0
| eval ScriptFromTemp = if(cmdline matches "*\\Temp\\*" or cmdline matches "*/tmp/*" or cmdline matches "*AppData*", "true", "false")
| fields _messageTime, _sourceHost, user, Image, cmdline, ParentImage, OsExec, NetworkActivity, DynamicLoad, SuspicionScore, ScriptFromTemp
| sort by SuspicionScore desc, _messageTime desc

medium severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Sysmon source Sumo Logic Installed Collector with Linux auditd source Sumo Logic Cloud SIEM normalized endpoint events

Required Tables

Sysmon Event ID 1 logs Linux auditd EXECVE records

False Positives

Game development pipelines using Lua for scripting (Love2D, Defold, Corona SDK) where developers test Lua scripts locally and use network sockets for live-reload or debugging protocols
Neovim or other text editors configured with Lua plugins that call os.execute or io.popen for shell integration features like fuzzy finders, formatters, or LSP wrappers
Automated test frameworks for embedded systems (Lunit, busted) running Lua test suites in CI/CD environments that exercise file I/O and process execution APIs

Google Chronicle / SecOps

yaral

rule mitre_t1059_011_lua_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Lua interpreter execution or inline Lua API abuse indicative of T1059.011. Covers OS execution, network socket calls, dynamic script loading, and execution from temp paths."
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.011"
    reference = "https://attack.mitre.org/techniques/T1059/011/"
    created = "2026-04-16"
    false_positives = "Game engines, Neovim plugins, OpenResty, Redis EVAL"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""

    (
      re.regex($e.target.process.file.full_path, `(?i)(lua|luajit|luac)(5[\d.]*)?(\.exe)?$`) or
      re.regex($e.target.process.command_line, `(?i)(\.lua[\s"']|dofile\s*\(|loadfile\s*\(|loadstring\s*\(|require\s*\(|os\.execute\s*\(|io\.popen\s*\(|socket\.tcp|socket\.connect|http\.request|ltn12\.pump|io\.open\s*\()`) or
      re.regex($e.target.process.file.full_path, `(?i)lua[0-9]*(jit|c)?\.exe`)
    )

    (
      re.regex($e.target.process.command_line, `(?i)(os\.execute|io\.popen|socket\.tcp|socket\.connect|http\.request|loadstring|loadfile|dofile)`) or
      re.regex($e.target.process.file.full_path, `(?i)(lua|luajit|luac)(\.exe)?$`)
    )

    $host = $e.principal.hostname
    $user = $e.principal.user.userid
    $cmdline = $e.target.process.command_line
    $proc = $e.target.process.file.full_path
    $parent = $e.principal.process.file.full_path

  condition:
    $e
}

medium severity medium confidence

Data Sources

Chronicle UDM with Windows Sysmon forwarder Chronicle UDM with Linux auditd/osquery forwarder Chronicle native endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne)

Required Tables

UDM entity graph - PROCESS_LAUNCH events

False Positives

OpenResty or Nginx with Lua module (ngx_lua) deployments where LuaJIT executes as part of web request handling, generating frequent io.open and socket calls that match network patterns
Hammerspoon (macOS automation tool) uses Lua extensively including os.execute and io.popen for system automation tasks like window management and hotkeys
Scientific computing or data analysis environments using LuaJIT through Torch/PyTorch legacy installations, where loadstring and require are normal module loading patterns

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale (Falcon) — T1059.011 Lua Execution Detection
// Primary: Process execution events matching Lua interpreter or Lua API patterns

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(lua|luajit|luac)(5[\d.]*)?(\.exe)?$/
  OR CommandLine = /(?i)(\.lua[\s"'\x00]|dofile\s*\(|loadfile\s*\(|loadstring\s*\(|os\.execute\s*\(|io\.popen\s*\(|socket\.tcp|socket\.connect|http\.request|ltn12\.pump)/
| eval(
    OsExec = if(CommandLine = /(?i)(os\.execute|io\.popen)/, 2, 0),
    NetworkActivity = if(CommandLine = /(?i)(socket\.tcp|socket\.connect|http\.request|ltn12\.pump)/, 2, 0),
    DynamicLoad = if(CommandLine = /(?i)(loadstring|loadfile|dofile)/, 1, 0),
    ScriptFromTemp = if(CommandLine = /(?i)([\\|\/]tmp[\\|\/]|\\Temp\\|AppData)/, "true", "false")
  )
| SuspicionScore := OsExec + NetworkActivity + DynamicLoad
| SuspicionScore > 0
| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentBaseFileName, OsExec, NetworkActivity, DynamicLoad,
     SuspicionScore, ScriptFromTemp, TargetProcessId, ContextProcessId],
    sortby=SuspicionScore,
    order=desc,
    limit=200
  )

// Secondary: Correlate with network events for same process
// Uncomment to join with network activity:
// | join(
//     [#event_simpleName = NetworkConnectIP4
//      | RemotePort != 53],
//     field=ContextProcessId, key=ContextProcessId, mode=left
//   )

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio/LogScale SIEM integration

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

CrowdStrike Falcon sensor itself or third-party EDR tools that embed Lua for scripting detection logic or behavioral rules — these generate internal process events matching Lua binary patterns
Redis server processes executing EVAL commands with Lua scripts for atomic operations; on some Linux distributions the redis-server binary invokes lua-related library calls visible in process telemetry
Build systems or package managers (LuaRocks, CMake with Lua bindings) running during software compilation that invoke luac for bytecode compilation of legitimate application components

Lua

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections