Detects the immediate execution of Python web servers (e.g., http.server) via the command line interface (CLI)

rules/linux/auditd/lnx_auditd_rules_auditd_deletion.yml

@@ -0,0 +1,24 @@
+title: Deletion of Auditd Rules
+id: bed26dea-4525-47f4-b24a-76e30e44ffb0
+status: test
+description: Detects the execution of the "auditctl -D" command in auditd logs, which deletes existing audit rules.
+references:
+    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
+author: Mohamed LAKRI
+date: 2024-11-12
+
+tags:
+    - attack.defense-evasion
+    - attack.T1562.012
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0: 'auditctl'
+        a1: '-D'
+    condition: selection
+falsepositives:
+    - An administrator troubleshooting
+level: medium

rules/linux/auditd/lnx_auditd_unsecure_python_webserver.yml

@@ -0,0 +1,26 @@
+title: Unsecure Python Webserver
+id: 3f0f5957-04f8-4792-ad89-192b0303bde6
+status: experimental
+description: Detects the instant launch of Python web servers via CLI.
+references:
+    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003
+    - https://attack.mitre.org/techniques/T1048/003/
+author: Mohamed LAKRI
+date: 2024-11-13
+tags:
+    - attack.exfiltration
+    - attack.T1048.003
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'python'
+        a1|contains:
+            - 'http.server'
+            - 'SimpleHTTPServer'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium