detection.wiki

Command and Scripting Interpreter: Lua T1059.011

Tactic: Execution

Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).

Events covered

1 catalog event is tagged with this technique by at least one rule.

ProviderEventTitle
ESFexecProcess Execution (Notify)

Authoring guide

Patterns shared across the 9 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType8eq 4, in 4exec, ProcessRollup2, exec_event, executed, connected-to
event.type8eq 8start
process_name7starts_with 6, in 5, eq 4, wildcard 3bash, awk, base16, base32, base64
host.os.type6eq 6
process.args6contains 5, eq 5, wildcard 4, starts_with 2, in 1*/bin/*sh*, *import*pty*spawn*, *import*subprocess*call*, *-*d*, *Fiddle.dlopen(*
parent_process_name3eq 2, in 2, starts_with 1apache, apache2, bun, bun.exe, caddy
CommandLine2contains 2, wildcard 2*-*d*, *].pack("H*")*, *pack("H*",*, b64decode, base64.decode64
Esql.event_count2lt 25
Image2starts_with 2./, /bin/lua, /bin/perl, /bin/php, /dev/shm/
ParentImage2is_not_null 1, starts_with 1/etc/update-motd.d/
container.id2starts_with 2?
CurrentDirectory1contains 1.next, .pnpm/next, bin/next
Esql.agent_id_count_distinct1eq 11
Esql.any_payload_keyword_max1eq 11
Initiated1eq 1egress

Top indicator values (443 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
8606
process_namestarts_with
ruby
621
process_namestarts_with
perl
520
process_namestarts_with
python
531
process_namestarts_with
lua
415
process_namestarts_with
php
414
process.argseq
-c
530
process.argseq
-e
515
process.argseq
-r
311
EventTypein
exec
4171
EventTypein
start
3134
process_namein
bash
488
process_namein
dash
478
process_namein
sh
483
process_namein
zsh
482
process_namein
busybox
336
process_namein
csh
371
process_namein
fish
372
process_namein
ksh
373
process_namein
tcsh
369
EventTypeeq
exec
3171
process.argscontains
base64
34
process.argscontains
socket
35
process_namewildcard
bash
314
process_namewildcard
csh
38
process_namewildcard
dash
310
process_namewildcard
fish
38
process_namewildcard
ksh
310
process_namewildcard
lua*
310
process_namewildcard
php*
316

Exclusions (62 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CurrentDirectorywildcard
/opt/zeek
2
CurrentDirectorywildcard
/proc/self/fd/*/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek_old_install
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/opt/zeek
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/usr/local/zeek
2
CommandLinecontains
liblzma
1
CommandLinecontains
xz
1
CommandLineeq
/usr/bin/perl /usr/bin/shasum -a 256
1
CommandLinestarts_with
/bin/sh -c git config
1
CurrentDirectoryeq
/
1
CurrentDirectoryin
/home/prtg-ssh
1
CurrentDirectoryin
/home/svc-acas-lnx
1
CurrentDirectoryin
/tmp/newroot/home/svc-acas-lnx
1
CurrentDirectoryin
/var/prtg/scriptsxml
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Elastic 9 rules