IIS WebServer Log Deletion via CommandLine Utilities

    Wednesday, October 8, 2025 In: Threat Research Print

    Date: 10/08/2025

    Severity: Medium

    Summary

    Detects attempts to remove Internet Information Services (IIS) log files using command‑line tools — a frequently used defense‑evasion tactic where attackers erase evidence of their activity. Adversaries commonly exploit vulnerabilities in web applications hosted on IIS to gain initial access, and then delete IIS logs to hinder forensic analysis and avoid detection.

    Indicators of Compromise (IOC) List

    Image

    '\cmd.exe'

     '\powershell_ise.exe'

    '\powershell.exe'

    '\pwsh.exe'

    Commandlines

    'del '

    'erase '

     'rm '

     'remove-item '

     'rmdir '

    '\inetpub\logs\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    (resourcename = "Windows Security" AND eventtype = "4688") AND (processname IN ("\cmd.exe","\powershell_ise.exe","\powershell.exe","\pwsh.exe") AND commandline IN ("del ","erase ","rm ","remove-item ","rmdir ") AND commandline like "\inetpub\logs")

    Detection Query 2 : 

    technologygroup = "EDR" AND (processname IN ("\cmd.exe","\powershell_ise.exe","\powershell.exe","\pwsh.exe") AND commandline IN ("del ","erase ","rm ","remove-item ","rmdir ") AND commandline like "\inetpub\logs")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml


    Tags

    SigmaVulnerabilityExploitInternet Information Services (IIS)

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.