IIS WebServer Log Deletion via CommandLine Utilities

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

Sigma rule (View on GitHub)

 1title: IIS WebServer Log Deletion via CommandLine Utilities
 2id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
 3related:
 4    - id: 3eb8c339-a765-48cc-a150-4364c04652bf
 5      type: similar
 6status: experimental
 7description: |
 8    Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
 9    Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.    
10references:
11    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-09-02
14tags:
15    - attack.defense-evasion
16    - attack.t1070
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\cmd.exe'
24              - '\powershell_ise.exe'
25              - '\powershell.exe'
26              - '\pwsh.exe'
27        - OriginalFileName:
28              - 'cmd.exe'
29              - 'powershell.exe'
30              - 'powershell_ise.exe'
31              - 'pwsh.dll'
32    selection_cli_del:
33        CommandLine|contains:
34            - 'del '
35            - 'erase '
36            - 'rm '
37            - 'remove-item '
38            - 'rmdir '
39    selection_cli_iis_dir:
40        CommandLine|contains: '\inetpub\logs\'
41    condition: all of selection_*
42falsepositives:
43    - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
44    - Legitimate schedule tasks or scripts that clean up log files regularly.
45    # More Fp cases
46    # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
47level: medium

References

Related rules

to-top