IIS WebServer Log Deletion via CommandLine Utilities

Severity: medium
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1070` Indicator Removal

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\cmd.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: cmd.exe
OriginalFileName: powershell.exe
OriginalFileName: powershell_ise.exe
OriginalFileName: pwsh.dll

Stage 2: `all of selection_cli_del`

or:
CommandLine|contains: 'del '
CommandLine|contains: 'erase '
CommandLine|contains: 'remove-item '
CommandLine|contains: 'rm '
CommandLine|contains: 'rmdir '

Stage 3: `all of selection_cli_iis_dir`

CommandLine|contains: '\inetpub\logs\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`\inetpub\logs\` `del` corpus 5 (sigma 5) `erase` corpus 3 (sigma 3) `remove-item` `rm` `rmdir`
`Image`	ends_with	`\cmd.exe` corpus 92 (sigma 92) `\powershell.exe` corpus 143 (sigma 143) `\powershell_ise.exe` corpus 27 (sigma 27) `\pwsh.exe` corpus 140 (sigma 140)
`OriginalFileName`	eq	`cmd.exe` corpus 3 (sigma 3) `powershell.exe` corpus 8 (sigma 8) `powershell_ise.exe` corpus 6 (sigma 6) `pwsh.dll` corpus 72 (sigma 68, splunk 4)