T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RevengeHotels usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
interlock usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8099 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DragonBreath usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Payouts King usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rast gang usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DragonForce usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
GigaWiper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
gh0st RAT - S0032 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RansomHub usesThe MITRE Corporation Confidence 100
[RansomHub](https://attack.mitre.org/software/S1212) is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SystemBC usesAlienVault Confidence 100
[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Phobos usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Zegost usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackEnergy usesFamily The MITRE Corporation Confidence 100
[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create…
First seen 01/01/1970 · Last seen 16/11/5138 · -
HermeticWiper usesFamily The MITRE Corporation Confidence 100
[HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MultiLayer Wiper usesFamily The MITRE Corporation Confidence 100
[MultiLayer Wiper](https://attack.mitre.org/software/S1135) is wiper malware written in .NET associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. Observed samples of [MultiLayer Wiper](https://attack.mitre.org/software/S1135) have an anomalous, future compilation date suggesting possible metadata manipulation.(Citation: Unit42…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlackBasta usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UltraVNC usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
AlienVault Confidence 100 13 CVEs 20 MITREs 4 Malwares 6 IOCs 5 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 6 Malwares 10 IOCs 2 Observables
-
AlienVault Confidence 100 4 CVEs 17 MITREs 3 Malwares 9 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 5 Malwares 20 IOCs 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
1 CVE 20 MITREs 12 Malwares 6 Observables 1 APT
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
Vulnerabilities (CVE) (48)
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.
- Published
- 24/05/2022
- Modified
- 10/07/2026
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …
- Attack vector
- Network
- Published
- 13/12/2024
- Modified
- 21/12/2025
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files …
- Published
- 03/11/2021
- Modified
- 13/07/2026
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to …
- Attack vector
- NETWORK
- Published
- 27/04/2021
- Modified
- 13/07/2026
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …
- Attack vector
- LOCAL
- Complexity
- LOW
- EPSS
- 0.0001 (P0.6%)
- Published
- 22/04/2026
- Modified
- 23/05/2026
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …
- Attack vector
- LOCAL
- Published
- 13/08/2025
- Modified
- 17/04/2026
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the …
- Attack vector
- Network
- Complexity
- Low
- EPSS
- 0.0002 (P4.5%)
- Published
- 11/05/2026
- Modified
- 13/07/2026
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is …
- Attack vector
- NETWORK
- Published
- 01/08/2025
- Modified
- 13/07/2026
Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …
- Attack vector
- NETWORK
- EPSS
- 0.0003 (P7.6%)
- Published
- 09/01/2026
- Modified
- 17/04/2026
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)