{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/indicator-removal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","indicator-removal","file-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis rule detects the deletion of web server access logs, a common tactic used by attackers to cover their tracks and hinder forensic investigations. The deletion of these logs may indicate an attempt to evade detection or destroy forensic evidence on a system. This detection rule focuses on identifying deletion events in directories commonly used for web server logs, such as those used by Apache and IIS. The rule covers multiple operating systems, providing a broad detection capability. This is important for defenders because web server logs are critical for monitoring web traffic and identifying malicious activity. The rule is designed to detect activity on \u0026ldquo;auditbeat-\u003cem\u003e\u0026rdquo;, \u0026ldquo;winlogbeat-\u003c/em\u003e\u0026rdquo;, \u0026ldquo;logs-endpoint.events.\u003cem\u003e\u0026rdquo;, \u0026ldquo;logs-windows.sysmon_operational-\u003c/em\u003e\u0026rdquo; indices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a system hosting a web server, potentially through exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location of the web server\u0026rsquo;s access logs. Common locations include \u003ccode\u003e/var/log/apache*/access.log\u003c/code\u003e and \u003ccode\u003eC:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a privileged account or escalates privileges to obtain the necessary permissions to delete the log files.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to delete the web server access logs. This could be done using \u003ccode\u003erm\u003c/code\u003e on Linux or \u003ccode\u003edel\u003c/code\u003e on Windows.\u003c/li\u003e\n\u003cli\u003eThe operating system records the file deletion event in its audit logs, which are monitored by security tools.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the deletion event based on the file path and event type.\u003c/li\u003e\n\u003cli\u003eThe security team is alerted to the potential intrusion and begins investigating the incident.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of web server access logs can significantly impede incident response and forensic investigations. Without these logs, it becomes difficult to determine the scope and impact of an attack, including identifying compromised accounts, exploited vulnerabilities, and stolen data. This can lead to delayed or ineffective remediation efforts, potentially resulting in further damage to the organization. The impact is particularly severe if the logs are deleted before suspicious activity is detected, as it removes valuable evidence needed for analysis.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e to your SIEM and tune for your environment to detect malicious log deletion attempts.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on web server log directories to detect unauthorized modifications or deletions.\u003c/li\u003e\n\u003cli\u003eReview and tighten access controls on web server log files to ensure only authorized personnel can modify or delete them.\u003c/li\u003e\n\u003cli\u003eImplement a robust log backup and retention policy to ensure that logs are available for forensic analysis even if they are deleted from the primary system.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eWebServer Access Logs Deleted\u003c/code\u003e rule promptly to determine the root cause and extent of the compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T14:12:42Z","date_published":"2026-04-01T14:12:42Z","id":"/briefs/2026-04-websvr-log-deletion/","summary":"Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.","title":"WebServer Access Logs Deleted","url":"https://feed.craftedsignal.io/briefs/2026-04-websvr-log-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Indicator-Removal","version":"https://jsonfeed.org/version/1.1"}