This rule is designed to detect attempts to delete Internet Information Services (IIS) log files using command line utilities like cmd.exe and PowerShell. Attackers may exploit vulnerabilities in IIS-hosted web applications to gain access and subsequently remove log files in order to evade detection by security monitoring tools. The rule captures process creation events on Windows systems, specifically looking for command line arguments that include commands indicative of deletion (e.g., 'del', 'erase', 'rm', 'remove-item', or 'rmdir') in conjunction with paths leading to the IIS log directories (e.g., '\inetpub\logs\'). It analyzes the original file name of the executing process to identify the use of Windows command line interpreters. This detection strategy aims to block a common defense evasion tactic employed by threat actors and ensure that any unauthorized deletion of logs is reported.