Elastic Security Detection Rules

Simple HTTP Web Server Connection

Last updated 2 months ago on 2025-12-22
Created a year ago on 2024-12-17

About

This rule detects connections accepted by a simple HTTP web server in Python and PHP built-in modules. Adversaries may create simple HTTP web servers to establish persistence on a compromised system by uploading a reverse or command shell payload to the server web root, allowing them to regain remote access to the system if lost. This event may occur when an attacker requests the server to execute a command or script via a potential backdoor.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: ExecutionTactic: Command and ControlData Source: Elastic DefendLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Server Software Component (T1505)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Command and Control (TA0011)(external, opens in a new tab or window)

Application Layer Protocol (T1071)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process*logs-endpoint.events.network*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
sequence by process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and 
 (
  (process.name regex~ """php?[0-9]?\.?[0-9]{0,2}""" and process.command_line like "*-S*") or
  (process.name like "python*" and process.command_line like ("*--cgi*", "*CGIHTTPServer*"))
 ) and not process.parent.command_line == "runc init"
]
[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted"]

Install detection rules in Elastic Security

Detect Simple HTTP Web Server Connection in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).