T1059.011 Sumo Logic CSE · Sumo

Detect Lua in Sumo Logic CSE

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion).

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.011 Lua
Canonical reference
https://attack.mitre.org/techniques/T1059/011/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* OR _sourceCategory=*linux*auditd* OR _sourceCategory=*endpoint*
| where EventCode = 1 or type = "EXECVE" or EventID = 1
| parse field=CommandLine "*" as cmdline nodrop
| parse field=cmd "*" as cmdline nodrop
| where (
    Image matches "*lua*.exe" or
    Image matches "*luajit*" or
    Image matches "*luac*" or
    cmdline matches "*.lua*" or
    cmdline matches "*dofile(*" or
    cmdline matches "*loadfile(*" or
    cmdline matches "*loadstring(*" or
    cmdline matches "*os.execute(*" or
    cmdline matches "*io.popen(*" or
    cmdline matches "*socket.tcp*" or
    cmdline matches "*socket.connect*" or
    cmdline matches "*http.request*" or
    cmdline matches "*ltn12.pump*" or
    cmdline matches "*io.open(*" or
    cmdline matches "*require(*"
  )
| eval OsExec = if(cmdline matches "*os.execute*" or cmdline matches "*io.popen*", 2, 0)
| eval NetworkActivity = if(cmdline matches "*socket.tcp*" or cmdline matches "*socket.connect*" or cmdline matches "*http.request*", 2, 0)
| eval DynamicLoad = if(cmdline matches "*loadstring*" or cmdline matches "*loadfile*" or cmdline matches "*dofile*", 1, 0)
| eval SuspicionScore = OsExec + NetworkActivity + DynamicLoad
| where SuspicionScore > 0
| eval ScriptFromTemp = if(cmdline matches "*\\Temp\\*" or cmdline matches "*/tmp/*" or cmdline matches "*AppData*", "true", "false")
| fields _messageTime, _sourceHost, user, Image, cmdline, ParentImage, OsExec, NetworkActivity, DynamicLoad, SuspicionScore, ScriptFromTemp
| sort by SuspicionScore desc, _messageTime desc
medium severity medium confidence

Sumo Logic search detecting Lua interpreter execution or embedded Lua API function calls that indicate T1059.011 abuse. Scores based on OS shell execution, network socket calls, and dynamic script loading. Correlates Windows Sysmon and Linux auditd sources.

Data Sources

Sumo Logic Installed Collector with Windows Sysmon sourceSumo Logic Installed Collector with Linux auditd sourceSumo Logic Cloud SIEM normalized endpoint events

Required Tables

Sysmon Event ID 1 logsLinux auditd EXECVE records

False Positives & Tuning

  • Game development pipelines using Lua for scripting (Love2D, Defold, Corona SDK) where developers test Lua scripts locally and use network sockets for live-reload or debugging protocols
  • Neovim or other text editors configured with Lua plugins that call os.execute or io.popen for shell integration features like fuzzy finders, formatters, or LSP wrappers
  • Automated test frameworks for embedded systems (Lunit, busted) running Lua test suites in CI/CD environments that exercise file I/O and process execution APIs
Download portable Sigma rule (.yml)

Other platforms for T1059.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Lua OS Command Execution

    Expected signal: Auditd: EXECVE record for lua with -e flag and os.execute in arguments. Child process event for whoami spawned by the Lua interpreter.

  2. Test 2Lua Network Socket Connection

    Expected signal: Auditd: EXECVE record for lua with socket.tcp in arguments. Network connection attempt to 127.0.0.1:4444.

  3. Test 3Lua Dynamic Code Loading

    Expected signal: Auditd: EXECVE record for lua with loadstring in arguments. The dynamically loaded code is executed at runtime.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.008Network Device CLIT1027.002Software PackingT1105Ingress Tool TransferT1106Native API

Same Tactic: Execution

Popular Detections