T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (48)
-
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DragonBreath usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Payouts King usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rast gang usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Dark Power usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (72)
-
Vect usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ghostengine usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Guidloader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RunningRAT usesFamily The MITRE Corporation Confidence 100
[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackout Locker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
gh0st RAT - S0032 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RansomHub usesThe MITRE Corporation Confidence 100
[RansomHub](https://attack.mitre.org/software/S1212) is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Phobos usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (40)
-
Operation SalmonSlalom related23 MITREs 6 Malwares 160 Observables
-
4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
-
CL0P Ransomware: Latest Attacks related1 CVE 35 MITREs 1 Malware 6 Observables 1 APT
-
17 MITREs 9 Observables 1 APT
-
15 MITREs 2 Malwares 2 Observables 1 APT
-
15 MITREs 2 Malwares 44 Observables 1 APT
-
32 MITREs 6 Malwares 45 Observables
-
20 MITREs 5 Malwares 21 Observables 1 APT
-
19 MITREs 5 Observables 1 APT
-
15 MITREs 2 Malwares 9 Observables 1 APT
-
2 CVEs 20 MITREs 5 Malwares 20 Observables 1 APT
-
9 MITREs 1 Malware 2 Observables
Vulnerabilities (CVE) (31)
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …
- Attack vector
- NETWORK
- Published
- 04/08/2023
- Modified
- 08/05/2026
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 16/05/2025
- Modified
- 17/04/2026
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …
- Attack vector
- Network
- Complexity
- Low
- Published
- 06/05/2026
- Modified
- 15/05/2026
Microsoft Windows Win32 Kernel Subsystem contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 11/03/2025
- Modified
- 21/12/2025
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.
- Attack vector
- Network
- Published
- 24/01/2024
- Modified
- 21/12/2025
Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 08/04/2025
- Modified
- 21/12/2025
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …
- Attack vector
- Network
- Published
- 13/12/2024
- Modified
- 21/12/2025
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)