T1059.011 IBM QRadar · QRadar

Detect Lua in IBM QRadar

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion).

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.011 Lua
Canonical reference
https://attack.mitre.org/techniques/T1059/011/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN "Command" ILIKE '%os.execute%' OR "Command" ILIKE '%io.popen%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%socket.tcp%' OR "Command" ILIKE '%socket.connect%' OR "Command" ILIKE '%http.request%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%loadstring%' OR "Command" ILIKE '%loadfile%' OR "Command" ILIKE '%dofile%' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (
    SELECT id FROM log_source_types WHERE name ILIKE '%Sysmon%'
    UNION
    SELECT id FROM log_source_types WHERE name ILIKE '%Windows Security%'
    UNION
    SELECT id FROM log_source_types WHERE name ILIKE '%Linux%'
  )
  AND starttime > NOW() - 86400000
  AND (
    "Process Name" ILIKE '%lua%'
    OR "Process Name" ILIKE '%luajit%'
    OR "Process Name" ILIKE '%luac%'
    OR "Command" ILIKE '%.lua%'
    OR "Command" ILIKE '%dofile(%'
    OR "Command" ILIKE '%loadfile(%'
    OR "Command" ILIKE '%loadstring(%'
    OR "Command" ILIKE '%os.execute(%'
    OR "Command" ILIKE '%io.popen(%'
    OR "Command" ILIKE '%socket.tcp%'
    OR "Command" ILIKE '%socket.connect%'
    OR "Command" ILIKE '%http.request%'
    OR "Command" ILIKE '%ltn12.pump%'
  )
  AND (
    CASE
      WHEN "Command" ILIKE '%os.execute%' OR "Command" ILIKE '%io.popen%' THEN 2
      ELSE 0
    END +
    CASE
      WHEN "Command" ILIKE '%socket.tcp%' OR "Command" ILIKE '%socket.connect%' OR "Command" ILIKE '%http.request%' THEN 2
      ELSE 0
    END +
    CASE
      WHEN "Command" ILIKE '%loadstring%' OR "Command" ILIKE '%loadfile%' OR "Command" ILIKE '%dofile%' THEN 1
      ELSE 0
    END
  ) > 0
ORDER BY suspicion_score DESC, starttime DESC
LIMIT 500
medium severity medium confidence

AQL query identifying Lua interpreter execution or inline Lua API patterns indicative of T1059.011 abuse. Scores events based on OS execution calls, network socket usage, and dynamic code loading. Covers Windows Sysmon process creation events and Linux audit logs.

Data Sources

QRadar SIEM with Windows Sysmon DSMQRadar Linux OS DSMMicrosoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • Redis EVAL commands executed by application servers using server-side Lua scripting will trigger on lua process references in some logging configurations
  • OpenResty or Kong API gateway deployments use LuaJIT extensively for routing logic and middleware — these generate high volumes of legitimate Lua execution events
  • Security research or malware analysis workstations running sandboxed Lua-based samples in controlled environments (e.g., REMnux, FlareVM tooling)
Download portable Sigma rule (.yml)

Other platforms for T1059.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Lua OS Command Execution

    Expected signal: Auditd: EXECVE record for lua with -e flag and os.execute in arguments. Child process event for whoami spawned by the Lua interpreter.

  2. Test 2Lua Network Socket Connection

    Expected signal: Auditd: EXECVE record for lua with socket.tcp in arguments. Network connection attempt to 127.0.0.1:4444.

  3. Test 3Lua Dynamic Code Loading

    Expected signal: Auditd: EXECVE record for lua with loadstring in arguments. The dynamically loaded code is executed at runtime.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.008Network Device CLIT1027.002Software PackingT1105Ingress Tool TransferT1106Native API

Same Tactic: Execution

Popular Detections