IIS WebServer Log Deletion via CommandLine Utilities

 1title: IIS WebServer Log Deletion via CommandLine Utilities
 2id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
 3related:
 4    - id: 3eb8c339-a765-48cc-a150-4364c04652bf
 5      type: similar
 6status: experimental
 7description: |
 8    Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
 9    Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.    
10references:
11    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-09-02
14tags:
15    - attack.defense-evasion
16    - attack.t1070
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\cmd.exe'
24              - '\powershell_ise.exe'
25              - '\powershell.exe'
26              - '\pwsh.exe'
27        - OriginalFileName:
28              - 'cmd.exe'
29              - 'powershell.exe'
30              - 'powershell_ise.exe'
31              - 'pwsh.dll'
32    selection_cli_del:
33        CommandLine|contains:
34            - 'del '
35            - 'erase '
36            - 'rm '
37            - 'remove-item '
38            - 'rmdir '
39    selection_cli_iis_dir:
40        CommandLine|contains: '\inetpub\logs\'
41    condition: all of selection_*
42falsepositives:
43    - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
44    - Legitimate schedule tasks or scripts that clean up log files regularly.
45    # More Fp cases
46    # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
47level: medium