Techniques
Sample rules
Python WebServer Execution - Linux
- source: sigma
- technicques:
- t1048
- t1048.003
Description
Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python’s built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith:
- /python
- /python2
- /python3
- Image|contains:
- /python2.
- /python3.
selection_module:
CommandLine|contains:
- http.server
- SimpleHTTPServer