Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Sigma rule (View on GitHub)
1title: Python WebServer Execution - Linux
2id: 3f0f5957-04f8-4792-ad89-192b0303bde6
3status: experimental
4description: |
5 Detects the execution of Python web servers via command line interface (CLI).
6 After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
7 This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
8references:
9 - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
10 - https://docs.python.org/3/library/http.server.html
11 - https://docs.python.org/2/library/simplehttpserver.html
12author: Mohamed LAKRI
13date: 2025-10-17
14tags:
15 - attack.exfiltration
16 - attack.t1048.003
17logsource:
18 product: linux
19 category: process_creation
20detection:
21 selection_img:
22 - Image|endswith:
23 - '/python'
24 - '/python2'
25 - '/python3'
26 - Image|contains:
27 - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
28 - '/python3.'
29 selection_module:
30 CommandLine|contains:
31 - 'http.server'
32 - 'SimpleHTTPServer'
33 condition: all of selection_*
34falsepositives:
35 - Testing or development activity
36level: medium
References
-
-
Source code: Lib/http/server.py This module defines classes for implementing HTTP servers. Availability: not WASI. This module does not work or is not available on WebAssembly. See WebAssembly plat...
Read More -
20.19. SimpleHTTPServer — Simple HTTP request handler Note The SimpleHTTPServer module has been merged into http.server in Python 3. The 2to3 tool will automatically adapt imports when converting y...
Read More
Related rules
- Data Exfiltration with Wget
- PowerShell ICMP Exfiltration
- Suspicious DNS Query with B64 Encoded String
- Suspicious Outbound SMTP Connections
- Suspicious WebDav Client Execution Via Rundll32.EXE