IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Sigma rule (View on GitHub)
1title: IIS WebServer Access Logs Deleted
2id: 3eb8c339-a765-48cc-a150-4364c04652bf
3status: test
4description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
5references:
6 - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
7author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-16
9modified: 2023-02-15
10tags:
11 - attack.defense-evasion
12 - attack.t1070
13logsource:
14 category: file_delete
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains: '\inetpub\logs\LogFiles\'
19 TargetFilename|endswith: '.log'
20 condition: selection
21falsepositives:
22 - During uninstallation of the IIS service
23 - During log rotation
24level: medium
References
-
WebServer Access Logs Deleted edit Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. Rule type: eql Rule in...
Read More
Related rules
- Clearing Windows Console History
- DLL Load By System Process From Suspicious Locations
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- EventLog EVTX File Deleted