Adversaries may use Python’s built-in HTTP server modules to establish a covert command and control channel or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration activities leveraging Python web servers.
Detection Rule
title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
- https://docs.python.org/3/library/http.server.html
- https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
category: process_creation
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_module:
CommandLine|contains:
- 'http.server'
- 'SimpleHTTPServer'
condition: all of selection_*
falsepositives:
- Testing or development activity
level: medium
imProcessCreate
| where ((TargetProcessName endswith "/python" or TargetProcessName endswith "/python2" or TargetProcessName endswith "/python3") or (TargetProcessName contains "/python2." or TargetProcessName contains "/python3.")) and (TargetProcessCommandLine contains "http.server" or TargetProcessCommandLine contains "SimpleHTTPServer")Scenario: Development Server Running on Localhost
Description: A developer may run a local Python web server (python -m http.server) for testing or development purposes on localhost.
Filter/Exclusion: Check for --bind 127.0.0.1 or --port values that are not publicly accessible (e.g., 8000, 8080). Use a filter like:
(http.server OR http.server) AND NOT (bind=0.0.0.0 OR port=80 OR port=443)Scenario: Scheduled Job for Static File Serving
Description: A cron job or systemd service may run a Python HTTP server to serve static files (e.g., for internal documentation or CI/CD artifacts).
Filter/Exclusion: Include a filter for known job names or paths, such as:
(http.server OR http.server) AND path=/var/www/static OR job_name=static_file_serverScenario: Admin Task to Test Network Connectivity
Description: An admin may use a Python HTTP server to test network connectivity or as part of a network diagnostic tool.
Filter/Exclusion: Filter by user or command context, such as:
(http.server OR http.server) AND user=admin OR command=network-diagnosticScenario: Python Script for Internal API Testing
Description: A Python script using http.server may be used internally to test an API or mock endpoints during development.
Filter/Exclusion: Include a filter for script names or directories, such as:
(http.server OR http.server) AND path=/opt/api-testing OR script_name=test_api.py
``