title: Lua (T1059.011)
id: df00tech-t1059-011
status: experimental
description: "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line via the standalone lua interpreter, via scripts (.lua), or from Lua-embedded programs. Adversaries may incorporate, abuse, or replace existing Lua interpreters to execute malicious code. Notable examples include EvilBunny (malware instrumented by Lua), Remsec/ProjectSauron (modular Lua-based APT), Line Runner (Cisco device implant using Lua), PoetRAT (Lua interpreter for Windows), and RedLine Stealer (Lua bytecode for evasion)."
references:
  - https://attack.mitre.org/techniques/T1059/011/
  - https://df00tech.com/detections/T1059.011
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059.011
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Game engines and applications with embedded Lua scripting (World of Warcraft, Roblox, Redis, Nginx)"
  - "Network monitoring tools using Lua for packet inspection (Wireshark, Nmap NSE scripts)"
  - "Configuration management tools with Lua-based configurations (OpenResty, Kong API Gateway)"
level: medium