Python HTTP Server#

Metadata#

Contributors

Roberto Rodriguez @Cyb3rWard0g

Creation Date

2020/10/29

Modification Date

2020/10/29

Tactics

TA0002

Techniques

T1059

Tags

None

Dataset Description#

This dataset represents threat actors adding a FW inbound rule and starting a Python HTTP Server.

Simulation Metadata#

Tools#

type

Name

Module

Manual

PowerShell

PowerShell

Adversary View#

Add Firewall Rule
-----------------
PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=tcp remoteip=any
Ok.    

PS > & netsh advfirewall firewall add rule name="python.exe" dir=in action=allow description="python.exe" program="C:\users\wardog\appdata\local\programs\python\python39\python.exe" enable=yes localport=any protocol=udp remoteip=any
Ok.

Start HTTP Server
-----------------
PS > python -m http.server 8000

Serving HTTP on :: port 8000 (http://[::]:8000/) ...

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/execution/host/psh_python_webserver.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)