T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (49)
-
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DragonBreath usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Payouts King usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rast gang usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DragonForce usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
FaceFish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TukTuk usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Olympic Destroyer usesFamily The MITRE Corporation Confidence 100
[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PsExec usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FinFisher usesFamily The MITRE Corporation Confidence 100
[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ShrinkLocker usesFamily The MITRE Corporation Confidence 100
[ShrinkLocker](https://attack.mitre.org/software/S1178) is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. [ShrinkLocker](https://attack.mitre.org/software/S1178) functions by using Bitlocker to encrypt files,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomNet usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Nitrogen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LV usesThe MITRE Corporation Confidence 100
[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)
First seen 01/01/1970 · Last seen 16/11/5138 · -
HRSword usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NetExec usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (43)
-
AlienVault Confidence 100 20 MITREs 6 Malwares 10 IOCs 2 Observables
-
AlienVault Confidence 100 4 CVEs 17 MITREs 3 Malwares 9 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 5 Malwares 20 IOCs 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
1 CVE 20 MITREs 12 Malwares 6 Observables 1 APT
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
-
AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 9 IOCs 9 Observables
Vulnerabilities (CVE) (35)
Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
- Attack vector
- NETWORK
- Published
- 21/03/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …
- Attack vector
- Network
- Published
- 10/07/2025
- Modified
- 21/12/2025
VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process …
- Attack vector
- Network
- Complexity
- Low
- Published
- 27/03/2025
- Modified
- 13/04/2026
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Published
- 29/01/2026
- Modified
- 27/03/2026
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …
- Attack vector
- Network
- Published
- 27/03/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …
- Attack vector
- Network
- Published
- 18/10/2023
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/01/2026
- Modified
- 10/04/2026
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)