LuaBot

Hunt Hypothesis

The LuaBot rule detects potential adversary behavior involving the use of Lua scripts to execute arbitrary code within a compromised environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistence or exfiltration activities that may evade traditional detection methods.

YARA Rule

rule LuaBot : MALW
{
        meta:
                description = "LuaBot"
                author = "Joan Soriano / @joanbtl"
                date = "2017-06-07"
                version = "1.0"
                MD5 = "9df3372f058874fa964548cbb74c74bf"
                SHA1 = "89226865501ee7d399354656d870b4a9c02db1d3"
                ref1 = "http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html"

        strings:
                $a = "LUA_PATH"
                $b = "Hi. Happy reversing, you can mail me: [email protected]"
                $c = "/tmp/lua_XXXXXX"
                $d = "NOTIFY"
                $e = "UPDATE"

        condition:
                all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Lua Script Execution via Task Scheduler
  Description: A legitimate system administrator schedules a Lua script using Windows Task Scheduler to automate a routine maintenance task.
  Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"

• Scenario: Lua-based Configuration Management Tool (e.g., LuaRocks)
  Description: A DevOps engineer uses LuaRocks, a package manager for Lua, to install and manage Lua modules on a server.
  Filter/Exclusion: process.name == "luarocks" or process.command_line contains "luarocks"

• Scenario: Lua Script for Log Parsing in a Monitoring Tool (e.g., Prometheus with Lua Exporter)
  Description: A monitoring tool uses a Lua script to parse and export metrics to Prometheus.
  Filter/Exclusion: process.name == "lua" and process.command_line contains "prometheus.lua" or process.parent_process_name == "prometheus"

• Scenario: Lua Script for API Testing (e.g., using Lua with LuaSocket)
  Description: A developer uses a Lua script with LuaSocket to perform API testing or integration testing.
  Filter/Exclusion: process.name == "lua" and process.command_line contains "luaunit" or "luasocket"

• Scenario: Admin Task to Generate Lua Reports (e.g., using Lua with MySQL)
  Description: A database administrator runs a Lua script to generate reports from a MySQL database.
  Filter/Exclusion: process.name == "lua" and process.command_line contains "mysql" or "report_generator.lua"