From 8168b510ec007e837350b5f677e9c967f9b7f626 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 8 Oct 2025 20:15:05 +0000
Subject: [PATCH] Sigma Rule Update (2025-10-08  20:14:59) (#105)

Co-authored-by: YamatoSecurity <YamatoSecurity@users.noreply.github.com>
---
 config/security_rules.json | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/config/security_rules.json b/config/security_rules.json
index 618df70b..4efcf2b2 100644
--- a/config/security_rules.json
+++ b/config/security_rules.json
@@ -8515,6 +8515,27 @@
     ],
     "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE"
   },
+  {
+    "category": "process_creation",
+    "channel": [
+      "sec"
+    ],
+    "description": "Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\nThreat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.\n",
+    "event_ids": [
+      "4688"
+    ],
+    "id": "bb67b9c1-36b4-5057-bac0-7c90c9147791",
+    "level": "medium",
+    "service": "",
+    "subcategory_guids": [
+      "0CCE922B-69AE-11D9-BED3-505054503030"
+    ],
+    "tags": [
+      "attack.defense-evasion",
+      "attack.t1070"
+    ],
+    "title": "IIS WebServer Log Deletion via CommandLine Utilities"
+  },
   {
     "category": "process_creation",
     "channel": [