IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Sigma rule (View on GitHub)
1title: IIS WebServer Access Logs Deleted
2id: 3eb8c339-a765-48cc-a150-4364c04652bf
3related:
4 - id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
5 type: similar
6status: test
7description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
8references:
9 - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
10author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-16
12modified: 2023-02-15
13tags:
14 - attack.defense-evasion
15 - attack.t1070
16logsource:
17 category: file_delete
18 product: windows
19detection:
20 selection:
21 TargetFilename|contains: '\inetpub\logs\LogFiles\'
22 TargetFilename|endswith: '.log'
23 condition: selection
24falsepositives:
25 - During uninstallation of the IIS service
26 - During log rotation
27level: medium
References
-
Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. Rule type:...
Read More
Related rules
- IIS WebServer Log Deletion via CommandLine Utilities
- Kubernetes Events Deleted
- Clearing Windows Console History
- DLL Load By System Process From Suspicious Locations
- Disable of ETW Trace - Powershell