WebServer Access Logs Deleted

This rule detects the deletion of web server access logs, a common tactic used by attackers to cover their tracks and hinder forensic investigations. The deletion of these logs may indicate an attempt to evade detection or destroy forensic evidence on a system. This detection rule focuses on identifying deletion events in directories commonly used for web server logs, such as those used by Apache and IIS. The rule covers multiple operating systems, providing a broad detection capability. This is important for defenders because web server logs are critical for monitoring web traffic and identifying malicious activity. The rule is designed to detect activity on “auditbeat-”, “winlogbeat-”, “logs-endpoint.events.”, “logs-windows.sysmon_operational-” indices.

Attack Chain

1. An attacker gains unauthorized access to a system hosting a web server, potentially through exploiting a vulnerability or using stolen credentials.
2. The attacker identifies the location of the web server’s access logs. Common locations include /var/log/apache*/access.log and C:\\inetpub\\logs\\LogFiles\\*.log.
3. The attacker uses a privileged account or escalates privileges to obtain the necessary permissions to delete the log files.
4. The attacker executes a command to delete the web server access logs. This could be done using rm on Linux or del on Windows.
5. The operating system records the file deletion event in its audit logs, which are monitored by security tools.
6. The detection rule identifies the deletion event based on the file path and event type.
7. The security team is alerted to the potential intrusion and begins investigating the incident.

Impact

The deletion of web server access logs can significantly impede incident response and forensic investigations. Without these logs, it becomes difficult to determine the scope and impact of an attack, including identifying compromised accounts, exploited vulnerabilities, and stolen data. This can lead to delayed or ineffective remediation efforts, potentially resulting in further damage to the organization. The impact is particularly severe if the logs are deleted before suspicious activity is detected, as it removes valuable evidence needed for analysis.

Recommendation

• Deploy the Sigma rule WebServer Access Logs Deleted to your SIEM and tune for your environment to detect malicious log deletion attempts.
• Enable file integrity monitoring (FIM) on web server log directories to detect unauthorized modifications or deletions.
• Review and tighten access controls on web server log files to ensure only authorized personnel can modify or delete them.
• Implement a robust log backup and retention policy to ensure that logs are available for forensic analysis even if they are deleted from the primary system.
• Investigate any alerts generated by the WebServer Access Logs Deleted rule promptly to determine the root cause and extent of the compromise.