From 90fe2d9e8125d2af937df83764cdf7465bbf019f Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 7 Oct 2025 14:41:48 +0545
Subject: [PATCH] Merge PR #5640 from @swachchhanda000 - IIS WebServer Log
 Deletion via CommandLine Utilities

new: IIS WebServer Log Deletion via CommandLine Utilities
---------

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...file_delete_win_delete_iis_access_logs.yml |  3 ++
 .../proc_creation_win_iis_logs_deletion.yml   | 47 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml

diff --git a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml
index 91bb673ab..f2b9490ce 100644
--- a/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml
+++ b/rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml
@@ -1,5 +1,8 @@
 title: IIS WebServer Access Logs Deleted
 id: 3eb8c339-a765-48cc-a150-4364c04652bf
+related:
+    - id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
+      type: similar
 status: test
 description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
 references:
diff --git a/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml b/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml
new file mode 100644
index 000000000..6ef1e8b83
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml
@@ -0,0 +1,47 @@
+title: IIS WebServer Log Deletion via CommandLine Utilities
+id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
+related:
+    - id: 3eb8c339-a765-48cc-a150-4364c04652bf
+      type: similar
+status: experimental
+description: |
+    Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.
+    Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
+references:
+    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-09-02
+tags:
+    - attack.defense-evasion
+    - attack.t1070
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\cmd.exe'
+              - '\powershell_ise.exe'
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'cmd.exe'
+              - 'powershell.exe'
+              - 'powershell_ise.exe'
+              - 'pwsh.dll'
+    selection_cli_del:
+        CommandLine|contains:
+            - 'del '
+            - 'erase '
+            - 'rm '
+            - 'remove-item '
+            - 'rmdir '
+    selection_cli_iis_dir:
+        CommandLine|contains: '\inetpub\logs\'
+    condition: all of selection_*
+falsepositives:
+    - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.
+    - Legitimate schedule tasks or scripts that clean up log files regularly.
+    # More Fp cases
+    # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02
+level: medium