Detect Lua in Microsoft Sentinel
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion).
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.011 Lua
- Canonical reference
- https://attack.mitre.org/techniques/T1059/011/
KQL Detection Query
let LuaPatterns = dynamic([
"lua.exe", "lua5", "luajit", "luac",
".lua", "dofile(", "loadfile(", "loadstring(",
"require(", "os.execute(", "io.popen(",
"os.remove(", "os.rename(", "io.open(",
"socket.tcp", "socket.connect",
"http.request", "ltn12.pump"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("lua", "luajit", "luac") or ProcessCommandLine has_any (LuaPatterns)
| extend OsExec = ProcessCommandLine has_any ("os.execute(", "io.popen(")
| extend NetworkActivity = ProcessCommandLine has_any ("socket.tcp", "socket.connect", "http.request")
| extend DynamicLoad = ProcessCommandLine has_any ("loadstring(", "loadfile(", "dofile(")
| extend ScriptFromTemp = ProcessCommandLine has_any ("\\Temp\\", "/tmp/", "AppData")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
OsExec, NetworkActivity, DynamicLoad, ScriptFromTemp
| sort by Timestamp descDetects Lua script execution across platforms using MDE. Identifies Lua interpreter execution (lua, luajit, luac), OS command execution via os.execute/io.popen, network activity via socket/HTTP libraries, dynamic code loading, and scripts executing from temp directories. Covers Windows, Linux, macOS, and network devices.
Data Sources
Required Tables
False Positives & Tuning
- Game engines and applications with embedded Lua scripting (World of Warcraft, Roblox, Redis, Nginx)
- Network monitoring tools using Lua for packet inspection (Wireshark, Nmap NSE scripts)
- Configuration management tools with Lua-based configurations (OpenResty, Kong API Gateway)
Other platforms for T1059.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Lua OS Command Execution
Expected signal: Auditd: EXECVE record for lua with -e flag and os.execute in arguments. Child process event for whoami spawned by the Lua interpreter.
- Test 2Lua Network Socket Connection
Expected signal: Auditd: EXECVE record for lua with socket.tcp in arguments. Network connection attempt to 127.0.0.1:4444.
- Test 3Lua Dynamic Code Loading
Expected signal: Auditd: EXECVE record for lua with loadstring in arguments. The dynamically loaded code is executed at runtime.
References (6)
- https://attack.mitre.org/techniques/T1059/011/
- https://www.lua.org/start.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
- https://blog.talosintelligence.com/poetrat-update/
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-new-variant-uses-lua-bytecode/
Unlock Pro Content
Get the full detection package for T1059.011 including response playbook, investigation guide, and atomic red team tests.