IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'cmd.exe'
- 'powershell.exe'
- 'powershell_ise.exe'
- 'pwsh.dll'
selection_cli_del:
CommandLine|contains:
- 'del '
- 'erase '
- 'rm '
- 'remove-item '
- 'rmdir '
selection_cli_iis_dir:
CommandLine|contains: '\inetpub\logs\'
condition: all of selection_*Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
Legitimate schedule tasks or scripts that clean up log files regularly.
Tactics
Techniques