T1059.011: Lua
Essential information
- MITRE technique ID
T1059.011- Confidence
- 100/100
- Revoked
- No
- Published
- 05/08/2024 20:19
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Platforms
windows macos linux Network Devices
Description
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (`.lua`), or from Lua-embedded programs (through the `struct lua_State`).(Citation: Lua main page)(Citation: Lua state)
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | execution |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.