Detect Lua in Splunk
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion).
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.011 Lua
- Canonical reference
- https://attack.mitre.org/techniques/T1059/011/
SPL Detection Query
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (Image="*\\lua*.exe" OR CommandLine="*.lua*"))
OR
(index=linux sourcetype="linux:auditd" type=EXECVE (a0="*lua*" OR a1="*.lua"))
| eval cmdline=coalesce(CommandLine, a0." ".a1." ".a2)
| eval OsExec=if(match(cmdline, "(os\.execute|io\.popen)"), 1, 0)
| eval NetworkActivity=if(match(cmdline, "(socket\.tcp|socket\.connect|http\.request)"), 1, 0)
| eval DynamicLoad=if(match(cmdline, "(loadstring|loadfile|dofile)"), 1, 0)
| eval SuspicionScore=OsExec*2 + NetworkActivity*2 + DynamicLoad
| where SuspicionScore > 0
| table _time, host, User, Image, cmdline, ParentImage, OsExec, NetworkActivity, DynamicLoad, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious Lua execution from both Windows (Sysmon) and Linux (auditd) sources. Evaluates for OS command execution, network activity, and dynamic code loading. Higher scoring for os.execute/io.popen and network socket usage as these indicate active system compromise.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Game engines and applications with embedded Lua scripting
- Network monitoring tools using Lua for packet inspection
- Configuration management tools with Lua-based configurations
Other platforms for T1059.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Lua OS Command Execution
Expected signal: Auditd: EXECVE record for lua with -e flag and os.execute in arguments. Child process event for whoami spawned by the Lua interpreter.
- Test 2Lua Network Socket Connection
Expected signal: Auditd: EXECVE record for lua with socket.tcp in arguments. Network connection attempt to 127.0.0.1:4444.
- Test 3Lua Dynamic Code Loading
Expected signal: Auditd: EXECVE record for lua with loadstring in arguments. The dynamically loaded code is executed at runtime.
References (6)
- https://attack.mitre.org/techniques/T1059/011/
- https://www.lua.org/start.html
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf
- https://blog.talosintelligence.com/poetrat-update/
- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-new-variant-uses-lua-bytecode/
Unlock Pro Content
Get the full detection package for T1059.011 including response playbook, investigation guide, and atomic red team tests.