Detectionmediumtest

IIS WebServer Access Logs Deleted

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Tim Rauch, Nasreddine Bencherchali (Nextron Systems)Created Fri Sep 16Updated Wed Feb 153eb8c339-a765-48cc-a150-4364c04652bfwindows

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        TargetFilename|contains: '\inetpub\logs\LogFiles\'
        TargetFilename|endswith: '.log'
    condition: selection

False Positives

During uninstallation of the IIS service

During log rotation

References

Resolving title…

elastic.co

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1070 · Indicator Removal

Related Rules

SimilarDetectionmedium

IIS WebServer Log Deletion via CommandLine Utilities

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

3eb8c339-a765-48cc-a150-4364c04652bf

Status

test

Level

medium

Type

Detection

Created

Fri Sep 16

Modified

Wed Feb 15

Author

Tim Rauch, Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml

Raw Tags

attack.defense-evasionattack.t1070

View on GitHub