Detectionmediumexperimental
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_module:
CommandLine|contains:
- 'http.server'
- 'SimpleHTTPServer'
condition: all of selection_*False Positives
Testing or development activity
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
3f0f5957-04f8-4792-ad89-192b0303bde6
Status
experimental
Level
medium
Type
Detection
Created
Fri Oct 17
Author
Path
rules/linux/process_creation/proc_creation_lnx_python_http_server_execution.yml
Raw Tags
attack.exfiltrationattack.t1048.003