IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
Sigma rule (View on GitHub)
1title: IIS WebServer Log Deletion via CommandLine Utilities
2id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
3related:
4 - id: 3eb8c339-a765-48cc-a150-4364c04652bf
5 type: similar
6status: experimental
7description: |
8 Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
9 Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
10references:
11 - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-09-02
14tags:
15 - attack.defense-evasion
16 - attack.t1070
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith:
23 - '\cmd.exe'
24 - '\powershell_ise.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - OriginalFileName:
28 - 'cmd.exe'
29 - 'powershell.exe'
30 - 'powershell_ise.exe'
31 - 'pwsh.dll'
32 selection_cli_del:
33 CommandLine|contains:
34 - 'del '
35 - 'erase '
36 - 'rm '
37 - 'remove-item '
38 - 'rmdir '
39 selection_cli_iis_dir:
40 CommandLine|contains: '\inetpub\logs\'
41 condition: all of selection_*
42falsepositives:
43 - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
44 - Legitimate schedule tasks or scripts that clean up log files regularly.
45 # More Fp cases
46 # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
47level: medium
References
Related rules
- IIS WebServer Access Logs Deleted
- Kubernetes Events Deleted
- Clearing Windows Console History
- DLL Load By System Process From Suspicious Locations
- Disable of ETW Trace - Powershell