AN0280: Analytic 0280
Detects Lua script execution via native or 3rd party interpreters, chained with unsigned binaries or unexpected parent lineage.
Analyst context for executives and security teams
This analytic matters because Lua script execution on macOS can be easy to overlook when it occurs through legitimate or third-party interpreters. The business value is not in treating every Lua process as malicious, but in validating whether the organization can spot unusual interpreter use, especially when it is tied to unsigned binaries or parent processes that do not normally launch scripts.
Executive priority
Prioritize this as a macOS endpoint visibility and incident-readiness question: can the security team prove it collects enough process, code-signing, and parent-child execution evidence to distinguish expected scripting activity from suspicious execution chains? This is relevant for SOC coverage validation, macOS control assurance, and audit evidence around endpoint monitoring, but the supplied ATT&CK object does not specify active exploitation, impact, or a particular threat actor.
Technical view
For SOC and detection engineering teams, validate monitoring for Lua script execution via native or third-party interpreters on macOS, with emphasis on process lineage and code-signing context. The key analytic logic implied by the object is correlation: interpreter execution becomes higher value when chained with unsigned binaries or unexpected parent lineage. Because no official detection logic or relationships are supplied, teams should baseline legitimate Lua usage in their own macOS fleet before alerting broadly.
Likely telemetry
- macOS process creation events, including command line where available
- Parent-child process lineage for interpreter execution
- Code-signing or binary trust status, especially unsigned binary indicators
- Inventory or allowlist context for approved native and third-party Lua interpreters
- Endpoint detection telemetry showing script interpreter activity on macOS
Detection direction
- Validate that macOS endpoint telemetry captures Lua interpreter execution and parent process context reliably.
- Tune for combinations of Lua execution with unsigned binaries or unusual parent lineage rather than alerting on Lua execution alone.
- Baseline approved developer, automation, or application workflows that legitimately use Lua to reduce false positives.
- Check for blind spots where third-party interpreters are not inventoried or where code-signing data is not collected.
- Because ATT&CK provides no detection implementation details for this object, use the analytic as coverage intent rather than a complete rule.
Mitigation priorities
- Inventory legitimate Lua interpreters and macOS applications that use Lua scripting.
- Improve endpoint logging for process creation, parent lineage, and code-signing status on macOS systems.
- Restrict or review execution of unsigned binaries where operationally feasible.
- Document expected scripting workflows so SOC teams can distinguish authorized automation from suspicious chains.
- Use findings from baselining to guide managed detection tuning, incident response playbooks, and compliance evidence for endpoint monitoring controls.
Analyst notes and limits
The supplied object is a detection analytic, not a technique description. Its value is in focusing defenders on macOS Lua execution correlated with unsigned binaries or unexpected parent lineage. No tactics, relationships, aliases, or official detection logic were provided, so local environment baselining is required to determine severity and alert thresholds.
This take is limited to the official fields supplied for AN0280. It does not infer adversary behavior, active exploitation, affected systems beyond macOS, or guaranteed detection coverage. The object provides no relationship context and no concrete detection query.
Analytic 0280
Detects Lua script execution via native or 3rd party interpreters, chained with unsigned binaries or unexpected parent lineage.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4646b2cbbb42… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0280Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.