KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious IIS Logs Delete

Query

# *Suspicious IIS Log Deletion by Command-Line Interpreters*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1070.004 | Indicator Removal: File Deletion | https://attack.mitre.org/techniques/T1070/004/ |
| T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ |
| TA0005 | Defense Evasion  | https://attack.mitre.org/tactics/TA0005/ |

#### Description
Detects the deletion of IIS log files by common command-line interpreters such as cmd.exe or PowerShell. This activity can be indicative of an adversary attempting to remove forensic evidence after compromising an IIS web server.

#### Risk
Defense Evasion

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://threatview.io

## Defender XDR
```KQL
DeviceFileEvents
| where ActionType == "FileDeleted"
| where InitiatingProcessFileName has_any  (@"\cmd.exe", @"\powershell_ise.exe", @"\powershell.exe", @"\pwsh.exe")
    or InitiatingProcessCommandLine has_any ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll")
| where FolderPath contains  @"\inetpub\logs\" 
```

Explanation

This query is designed to detect potentially suspicious activity on a server, specifically the deletion of IIS log files using command-line tools. Here's a simplified breakdown:

  1. Purpose: The query aims to identify instances where IIS log files are deleted, which could indicate an attempt to cover up malicious activity on a web server.

  2. Tools Monitored: It focuses on deletions initiated by common command-line interpreters such as cmd.exe and various versions of PowerShell (powershell.exe, powershell_ise.exe, pwsh.exe).

  3. Targeted Files: The query specifically looks for deletions in the directory path \inetpub\logs\, which is where IIS logs are typically stored.

  4. Risk Context: This activity is associated with the MITRE ATT&CK techniques for defense evasion, where attackers try to remove evidence of their actions.

  5. Output: If the query finds any matches, it suggests that someone might be trying to delete log files to hide their tracks, which is a red flag for security teams to investigate further.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 23, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathActionTypeInitiatingProcessFileNameInitiatingProcessCommandLine

Operators

DeviceFileEventswhereActionType==has_anyorInitiatingProcessFileNameInitiatingProcessCommandLinecontainsFolderPath

Actions