Python WebServer Execution - Linux

Title: Python WebServer Execution - Linux
Status: experimental
Description:Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
References:
  -https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
  -https://docs.python.org/3/library/http.server.html
  -https://docs.python.org/2/library/simplehttpserver.html
Author: Mohamed LAKRI
Date: 2025-10-17
modified:None
Tags:

• -'attack.exfiltration'
• -'attack.t1048.003'

Logsource:

• product: linux
• category: process_creation

Detection:
  selection_img:
    - Image|endswith:
      - '/python'
      - '/python2'
      - '/python3'
    - Image|contains:
      - '/python2.'
      - '/python3.'
  selection_module:
    CommandLine|contains:
      -'http.server'
      -'SimpleHTTPServer'

  condition:all of selection_*
Falsepositives:
  -Testing or development activity
Level: medium