T1059.011 CrowdStrike LogScale · LogScale

Detect Lua in CrowdStrike LogScale

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion).

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.011 Lua
Canonical reference
https://attack.mitre.org/techniques/T1059/011/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// CrowdStrike LogScale (Falcon) — T1059.011 Lua Execution Detection
// Primary: Process execution events matching Lua interpreter or Lua API patterns

#event_simpleName = ProcessRollup2
| ImageFileName = /(?i)(lua|luajit|luac)(5[\d.]*)?(\.exe)?$/
  OR CommandLine = /(?i)(\.lua[\s"'\x00]|dofile\s*\(|loadfile\s*\(|loadstring\s*\(|os\.execute\s*\(|io\.popen\s*\(|socket\.tcp|socket\.connect|http\.request|ltn12\.pump)/
| eval(
    OsExec = if(CommandLine = /(?i)(os\.execute|io\.popen)/, 2, 0),
    NetworkActivity = if(CommandLine = /(?i)(socket\.tcp|socket\.connect|http\.request|ltn12\.pump)/, 2, 0),
    DynamicLoad = if(CommandLine = /(?i)(loadstring|loadfile|dofile)/, 1, 0),
    ScriptFromTemp = if(CommandLine = /(?i)([\\|\/]tmp[\\|\/]|\\Temp\\|AppData)/, "true", "false")
  )
| SuspicionScore := OsExec + NetworkActivity + DynamicLoad
| SuspicionScore > 0
| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentBaseFileName, OsExec, NetworkActivity, DynamicLoad,
     SuspicionScore, ScriptFromTemp, TargetProcessId, ContextProcessId],
    sortby=SuspicionScore,
    order=desc,
    limit=200
  )

// Secondary: Correlate with network events for same process
// Uncomment to join with network activity:
// | join(
//     [#event_simpleName = NetworkConnectIP4
//      | RemotePort != 53],
//     field=ContextProcessId, key=ContextProcessId, mode=left
//   )
medium severity medium confidence

CrowdStrike LogScale CQL query using Falcon ProcessRollup2 events to detect Lua interpreter execution or Lua API function invocations in process command lines. Scores events based on OS shell execution, network socket usage, and dynamic code loading patterns. Optional join with NetworkConnectIP4 for lateral movement correlation.

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR)Falcon Data Replicator (FDR) streaming to LogScaleCrowdStrike Humio/LogScale SIEM integration

Required Tables

ProcessRollup2NetworkConnectIP4DnsRequest

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or third-party EDR tools that embed Lua for scripting detection logic or behavioral rules — these generate internal process events matching Lua binary patterns
  • Redis server processes executing EVAL commands with Lua scripts for atomic operations; on some Linux distributions the redis-server binary invokes lua-related library calls visible in process telemetry
  • Build systems or package managers (LuaRocks, CMake with Lua bindings) running during software compilation that invoke luac for bytecode compilation of legitimate application components
Download portable Sigma rule (.yml)

Other platforms for T1059.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Lua OS Command Execution

    Expected signal: Auditd: EXECVE record for lua with -e flag and os.execute in arguments. Child process event for whoami spawned by the Lua interpreter.

  2. Test 2Lua Network Socket Connection

    Expected signal: Auditd: EXECVE record for lua with socket.tcp in arguments. Network connection attempt to 127.0.0.1:4444.

  3. Test 3Lua Dynamic Code Loading

    Expected signal: Auditd: EXECVE record for lua with loadstring in arguments. The dynamically loaded code is executed at runtime.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.008Network Device CLIT1027.002Software PackingT1105Ingress Tool TransferT1106Native API

Same Tactic: Execution

Popular Detections