Suspicious IIS Log Deletion by Command-Line Interpreters
Suspicious IIS Logs Delete
Query
DeviceFileEvents
| where ActionType == "FileDeleted"
| where InitiatingProcessFileName has_any (@"\cmd.exe", @"\powershell_ise.exe", @"\powershell.exe", @"\pwsh.exe")
or InitiatingProcessCommandLine has_any ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll")
| where FolderPath contains @"\inetpub\logs\"About this query
Suspicious IIS Log Deletion by Command-Line Interpreters
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1070.004 | Indicator Removal: File Deletion | https://attack.mitre.org/techniques/T1070/004/ |
| T1059.001 | Command and Scripting Interpreter: PowerShell | https://attack.mitre.org/techniques/T1059/001/ |
| TA0005 | Defense Evasion | https://attack.mitre.org/tactics/TA0005/ |
Description
Detects the deletion of IIS log files by common command-line interpreters such as cmd.exe or PowerShell. This activity can be indicative of an adversary attempting to remove forensic evidence after compromising an IIS web server.
Risk
Defense Evasion
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect potentially suspicious activity on a server, specifically the deletion of IIS log files using command-line tools. Here's a simplified breakdown:
-
Purpose: The query aims to identify instances where IIS log files are deleted, which could indicate an attempt to cover up malicious activity on a web server.
-
Tools Monitored: It focuses on deletions initiated by common command-line interpreters such as
cmd.exeand various versions of PowerShell (powershell.exe,powershell_ise.exe,pwsh.exe). -
Targeted Files: The query specifically looks for deletions in the directory path
\inetpub\logs\, which is where IIS logs are typically stored. -
Risk Context: This activity is associated with the MITRE ATT&CK techniques for defense evasion, where attackers try to remove evidence of their actions.
-
Output: If the query finds any matches, it suggests that someone might be trying to delete log files to hide their tracks, which is a red flag for security teams to investigate further.
Details

Benjamin Zulliger
Released: October 23, 2025
Tables
Keywords
Operators