Query Details

Suspicious IIS Log Deletion by Command-Line Interpreters

Suspicious IIS Logs Delete

Query

DeviceFileEvents
| where ActionType == "FileDeleted"
| where InitiatingProcessFileName has_any  (@"\cmd.exe", @"\powershell_ise.exe", @"\powershell.exe", @"\pwsh.exe")
    or InitiatingProcessCommandLine has_any ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll")
| where FolderPath contains  @"\inetpub\logs\"

About this query

Suspicious IIS Log Deletion by Command-Line Interpreters

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1070.004Indicator Removal: File Deletionhttps://attack.mitre.org/techniques/T1070/004/
T1059.001Command and Scripting Interpreter: PowerShellhttps://attack.mitre.org/techniques/T1059/001/
TA0005Defense Evasionhttps://attack.mitre.org/tactics/TA0005/

Description

Detects the deletion of IIS log files by common command-line interpreters such as cmd.exe or PowerShell. This activity can be indicative of an adversary attempting to remove forensic evidence after compromising an IIS web server.

Risk

Defense Evasion

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially suspicious activity on a server, specifically the deletion of IIS log files using command-line tools. Here's a simplified breakdown:

  1. Purpose: The query aims to identify instances where IIS log files are deleted, which could indicate an attempt to cover up malicious activity on a web server.

  2. Tools Monitored: It focuses on deletions initiated by common command-line interpreters such as cmd.exe and various versions of PowerShell (powershell.exe, powershell_ise.exe, pwsh.exe).

  3. Targeted Files: The query specifically looks for deletions in the directory path \inetpub\logs\, which is where IIS logs are typically stored.

  4. Risk Context: This activity is associated with the MITRE ATT&CK techniques for defense evasion, where attackers try to remove evidence of their actions.

  5. Output: If the query finds any matches, it suggests that someone might be trying to delete log files to hide their tracks, which is a red flag for security teams to investigate further.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 23, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFolderPathActionTypeInitiatingProcessNameCommandLine

Operators

DeviceFileEventswhereActionType==has_anyorInitiatingProcessFileNameInitiatingProcessCommandLinecontainsFolderPath

Actions

GitHub