Command and Scripting Interpreter: Lua
Other sub-techniques of Command and Scripting Interpreter (11)
Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (.lua), or from Lua-embedded programs (through the struct lua_State).(Citation: Lua main page)(Citation: Lua state)
Lua scripts may be executed by adversaries for malicious purposes. Adversaries may incorporate, abuse, or replace existing Lua interpreters to allow for malicious Lua command execution at runtime.(Citation: PoetRat Lua)(Citation: Lua Proofpoint Sunseed)(Citation: Cyphort EvilBunny)(Citation: Kaspersky Lua)
Procedure Examples |
|
| Name | Description |
|---|---|
| EvilBunny |
EvilBunny has used Lua scripts to execute payloads.(Citation: Cyphort EvilBunny) |
| Remsec |
Remsec can use modules written in Lua for execution.(Citation: Kaspersky Lua) |
| PoetRAT |
PoetRAT has executed a Lua script through a Lua interpreter for Windows.(Citation: Talos PoetRAT October 2020) |
Mitigations |
|
| Mitigation | Description |
|---|---|
| Limit Software Installation |
Block users or groups from installing unapproved software. |
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
References
- Raggi, Michael. Cass, Zydeca. The Proofpoint Threat Research Team.. (2022, March 1). Asylum Ambuscade: State Actor Uses Lua-based Sunseed Malware to Target European Governments and Refugee Movement. Retrieved August 5, 2024.
- Mercer, Warren. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves. Retrieved August 5, 2024.
- Marschalek, Marion. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved August 5, 2024.
- Lua. (n.d.). lua_State. Retrieved August 5, 2024.
- Lua. (2024, June 25). Getting started. Retrieved August 5, 2024.
- Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.