T1070.001: T1070.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 28/01/2020 18:05 · Modified 17/04/2026 13:15

Essential information

MITRE technique ID: T1070.001
Confidence: 100/100
Revoked: No
Published: 28/01/2020 18:05
Modified: 17/04/2026 13:15
Author / Source: The MITRE Corporation

Aliases

Clear Windows Event Logs

Platforms

windows

Description

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * `wevtutil cl system` * `wevtutil cl application` * `wevtutil cl security` These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

disable_win_evt_logging
Microsoft Clear-EventLog
Microsoft EventLog.Clear
mitre-attack (T1070.001)
Microsoft wevtutil Oct 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (47)

FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RevengeHotels uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
interlock uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8099 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Payouts King uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rast gang uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dark Power uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 47

FatalRAT uses

Family
BlackReaperRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackMatter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit 5.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XlAnyLoader uses

Family
EtherRAT uses

Family
KaWaLocker 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomEXX uses

Family
Dante uses

Family
NotPetya uses

Family
FaceFish uses

Family
TukTuk uses

Family

← Previous

Page / 6

1–12 of 72

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for … related

11 MITREs 4 Malwares 34 Observables 1 APT
RONINGLOADER: DragonBreath's New Path to PPL Abuse related

21 MITREs 4 Malwares 14 Observables 1 APT
License to Encrypt: Make Their Move related

17 MITREs 1 Malware 1 APT
Underground Ransomware Being Distributed Worldwide related

11 MITREs 1 Malware 1 APT
Ransomware incidents in Japan during the first half … related

11 MITREs 2 Malwares 1 APT
Illusory Wishes: China-nexus APT Targets the Tibetan Community related

17 MITREs 2 Malwares 26 Observables 1 APT
Dire Wolf Strikes: New Ransomware Group Targeting Global … related

7 MITREs 1 Malware 2 Observables 1 APT
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT
Unmasking the new persistent attacks on Japan related

1 CVE 10 MITREs 1 Malware 3 Observables
Operation SalmonSlalom related

23 MITREs 6 Malwares 160 Observables
Confluence Exploit Leads to LockBit Ransomware related

4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
CL0P Ransomware: Latest Attacks related

1 CVE 35 MITREs 1 Malware 6 Observables 1 APT

← Previous

Page / 4

13–24 of 37

Vulnerabilities (CVE) (31)

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2026-31431 KEV targets

7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector: LOCAL
Complexity: LOW
EPSS: 0.0001 (P0.6%)
Published: 22/04/2026
Modified: 23/05/2026

CWE-669 Awaiting Analysis

CVE-2025-23304 targets

7.8 High

NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …

Attack vector: LOCAL
Published: 13/08/2025
Modified: 17/04/2026

Awaiting Analysis

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2026-22584 targets

9.8 Critical

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …

Attack vector: NETWORK
EPSS: 0.0003 (P7.6%)
Published: 09/01/2026
Modified: 17/04/2026

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2021-21974 targets

8.8 High

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing …

Attack vector: Adjacent
Complexity: Low
Published: 24/02/2021
Modified: 03/06/2026

CWE-787

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2025-14847 KEV targets

8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector: NETWORK
Published: 19/12/2025
Modified: 26/01/2026

Awaiting Analysis

CVE-2023-44976 targets

3.2 Low

Hangzhou Shunwang Rentdrv2 before 2024-12-24 allows local users to terminate EDR processes and possibly have unspecified other impact via DeviceIoControl with control …

Attack vector: LOCAL
Published: 01/08/2025
Modified: 09/06/2026

Received

CVE-2025-29814 targets

9.3 Critical

Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

Attack vector: NETWORK
Published: 21/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-22005 KEV targets

VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …

Published: 03/11/2021
Modified: 21/12/2025

← Previous

Page / 3

13–24 of 31

T1070 subtechnique-of

Indicator Removal MITRE

Tool (1)

Wevtutil uses

The MITRE Corporation Confidence 100

[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

Contact About Legal notice Privacy policy Terms of use