T1059.011 Lua
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).23
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.5641
| Item | Value |
|---|---|
| ID | T1059.011 |
| Sub-techniques | T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009, T1059.010, T1059.011, T1059.012, T1059.013 |
| Tactics | TA0002 |
| Platforms | Linux, Network Devices, Windows, macOS |
| Version | 1.1 |
| Created | 05 August 2024 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0396 | EvilBunny | EvilBunny has used Lua scripts to execute payloads.4 |
| S1188 | Line Runner | Line Runner utilizes Lua scripts for command execution.98 |
| S0428 | PoetRAT | PoetRAT has executed a Lua script through a Lua interpreter for Windows.10 |
| S1240 | RedLine Stealer | RedLine Stealer malware has leveraged Lua bytecode to perform malicious behavior.7 |
| S0125 | Remsec | Remsec can use modules written in Lua for execution.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Inventory systems for unauthorized Lua installations. |
| M1038 | Execution Prevention | Denylist Lua interpreters where appropriate. |
| M1033 | Limit Software Installation | Prevent users from installing Lua where not required. |
References
-
Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024. ↩↩
-
Lua. (2024, June 25). Getting started. Retrieved August 5, 2024. ↩
-
Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024. ↩↩
-
Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves. Retrieved August 5, 2024. ↩
-
Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Retrieved August 5, 2024. ↩
-
Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025. ↩
-
Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025. ↩
-
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025. ↩
-
Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. ↩