IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
Sigma rule (View on GitHub)
1title: IIS WebServer Access Logs Deleted
2id: 3eb8c339-a765-48cc-a150-4364c04652bf
3status: test
4description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
5references:
6 - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
7author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/16
9modified: 2023/02/15
10tags:
11 - attack.defense_evasion
12 - attack.t1070
13logsource:
14 category: file_delete
15 product: windows
16detection:
17 selection:
18 TargetFilename|contains: '\inetpub\logs\LogFiles\'
19 TargetFilename|endswith: '.log'
20 condition: selection
21falsepositives:
22 - During uninstallation of the IIS service
23 - During log rotation
24level: medium
References
-
WebServer Access Logs Deletededit Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. Rule type: eql Rule ind...
Read More
Related rules
- EventLog EVTX File Deleted
- PowerShell Console History Logs Deleted
- Tomcat WebServer Logs Deleted
- Exchange PowerShell Cmdlet History Deleted
- SES Identity Has Been Deleted