T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DragonBreath usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Payouts King usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rast gang usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DragonForce usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
BlackSalt usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LeetAgent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CutBrooch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Vect usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ghostengine usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Guidloader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RunningRAT usesFamily The MITRE Corporation Confidence 100
[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)
First seen 01/01/1970 · Last seen 16/11/5138 · -
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Crucio usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackout Locker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
AlienVault Confidence 100 13 CVEs 20 MITREs 4 Malwares 6 IOCs 5 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 6 Malwares 10 IOCs 2 Observables
-
AlienVault Confidence 100 4 CVEs 17 MITREs 3 Malwares 9 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 5 Malwares 20 IOCs 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
1 CVE 20 MITREs 12 Malwares 6 Observables 1 APT
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
Vulnerabilities (CVE) (48)
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or …
- Published
- 23/03/2026
- Modified
- 10/07/2026
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
- Published
- 20/12/2025
- Modified
- 21/12/2025
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing …
- Attack vector
- Adjacent
- Complexity
- Low
- Published
- 24/02/2021
- Modified
- 03/06/2026
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.0005 (P15.8%)
- Published
- 23/03/2026
- Modified
- 13/07/2026
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 07/04/2026
- Modified
- 13/07/2026
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …
- Attack vector
- Network
- Published
- 17/07/2023
- Modified
- 27/05/2026
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …
- Attack vector
- NETWORK
- Published
- 19/12/2025
- Modified
- 26/01/2026
Hangzhou Shunwang Rentdrv2 before 2024-12-24 allows local users to terminate EDR processes and possibly have unspecified other impact via DeviceIoControl with control …
- Attack vector
- LOCAL
- Published
- 01/08/2025
- Modified
- 09/06/2026
Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
- Attack vector
- NETWORK
- Published
- 21/03/2025
- Modified
- 21/12/2025
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.0006 (P18.5%)
- Published
- 23/04/2026
- Modified
- 13/07/2026
A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 06/07/2026
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …
- Attack vector
- Network
- Published
- 10/07/2025
- Modified
- 21/12/2025
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)