Simple HTTP Web Server Connection

Last updated 6 months ago on 2025-01-15

Created 7 months ago on 2024-12-17

About

This rule detects connections accepted by a simple HTTP web server in Python and PHP built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. This event may occur when an attacker requests the server to execute a command or script via a potential backdoor.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionTactic: Command and ControlData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Server Software Component (T1505)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.network*
Related Integrations: endpoint(opens in a new tab or window)
Query

network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and (
  (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.command_line like "*-S*") or
  (process.name like "python*" and process.command_line like ("*--cgi*", "*CGIHTTPServer*"))
)

Install detection rules in Elastic Security

Detect Simple HTTP Web Server Connection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).