This detection rule focuses on identifying the unauthorized creation of simple HTTP web servers using PHP or Python built-in modules on Linux systems. Adversaries often deploy these lightweight servers to establish persistence by uploading malicious payloads, such as reverse shells, which can facilitate unauthorized remote access if the initial entry vector is lost. The rule employs EQL (Event Query Language) to monitor processes that start on the system, looking specifically for the execution of PHP with the '-S' argument or Python with the '--cgi' or 'CGIHTTPServer' options. The accompanying investigation guide helps analysts discern legitimate use cases from malicious actions, advising them to review corresponding process executions, user accounts, network activity, and file system changes underlying web server operations. The rule aims to catch early signs of adversarial behavior that might indicate deeper compromises in the system.