This detection rule targets the execution of Python web servers on Linux systems via the command line interface (CLI). Adversaries often exploit Python's built-in HTTP server capabilities post-exploitation to set up web servers swiftly and transfer files between a compromised host and the attacker's environment. The rule focuses on detecting process creation events associated with Python executables (both python2 and python3) and commands indicating the activation of web servers (http.server or SimpleHTTPServer). This strategy allows defenders to identify malicious activity leveraging Python in enigmatic ways for file exfiltration or lateral movement within compromised networks. The rule is implemented within a Linux environment and aims to mitigate the risks associated with unauthorized web server deployment.