The deletion of IIS WebServer access logs may indicate an adversary attempting to remove forensic evidence and obscure their presence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or tampering activities early.
Detection Rule
title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
- id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
- attack.defense-evasion
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains: '\inetpub\logs\LogFiles\'
TargetFilename|endswith: '.log'
condition: selection
falsepositives:
- During uninstallation of the IIS service
- During log rotation
level: medium
imFileEvent
| where TargetFileName contains "\\inetpub\\logs\\LogFiles\\" and TargetFileName endswith ".log"Scenario: Scheduled Log Cleanup Task
Description: A legitimate scheduled task runs to rotate and archive IIS access logs, which may temporarily delete or overwrite log files.
Filter/Exclusion: Exclude events where the deletion is performed by a known log cleanup tool (e.g., logrotate, IIS Log Manager, or a custom script named iis_cleanup.ps1).
Scenario: Log File Compression or Archiving
Description: An admin task compresses or archives old IIS access logs, which may involve deleting or moving log files.
Filter/Exclusion: Exclude events where the process is initiated by a compression tool (e.g., 7-Zip, WinRAR, or a script named archive_iis_logs.bat) or a system service like Windows Task Scheduler.
Scenario: Log File Rotation by IIS Service
Description: IIS itself may rotate logs as part of its normal operation, which can involve deleting old log files to make space.
Filter/Exclusion: Exclude events where the deletion is performed by the IIS service (e.g., w3svc process) or via the IIS Manager log rotation settings.
Scenario: System Maintenance or Disk Cleanup
Description: A system maintenance task or disk cleanup utility may delete IIS access logs to free up disk space.
Filter/Exclusion: Exclude events where the deletion is initiated by a system tool like Disk Cleanup or a third-party utility (e.g., CCleaner, TreeSize).
Scenario: Log File Backup and Replacement
Description: A backup process may delete old log files before replacing them with new backups, which is a common practice in some environments.
Filter/Exclusion: Exclude events where the deletion is performed by a backup tool (e.g., `V