T1070.001: T1070.001

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 28/01/2020 18:05 · Modified 17/04/2026 13:15

Essential information

MITRE technique ID: T1070.001
Confidence: 100/100
Revoked: No
Published: 28/01/2020 18:05
Modified: 17/04/2026 13:15
Author / Source: The MITRE Corporation

Aliases

Clear Windows Event Logs

Platforms

windows

Description

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * `wevtutil cl system` * `wevtutil cl application` * `wevtutil cl security` These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

disable_win_evt_logging
Microsoft Clear-EventLog
Microsoft EventLog.Clear
mitre-attack (T1070.001)
Microsoft wevtutil Oct 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (47)

FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RevengeHotels uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
interlock uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8099 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Payouts King uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rast gang uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dark Power uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

13–24 of 47

FatalRAT uses

Family
BlackReaperRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackMatter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit 5.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XlAnyLoader uses

Family
EtherRAT uses

Family
KaWaLocker 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomEXX uses

Family
Dante uses

Family
NotPetya uses

Family
FaceFish uses

Family
TukTuk uses

Family

← Previous

Page / 6

1–12 of 72

Ransomware Analysis: Go Binary and Fast Encryption related

AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
Hacktivists are broadening their scope beyond political motivation related

1 CVE 20 MITREs 12 Malwares 6 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
The Gentleman Ransomware | Defense Evasion TTPs Uncovered related

AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
Flash Alert: EtherRat and TukTuk C2 End in … related

AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
Threat Actors Weaponize Tiflux RMMs in Malspam Attacks related

AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 9 IOCs 9 Observables
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day … related

12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
Kyber ransomware is not just post-quantum name-dropping related

AlienVault Confidence 100 15 MITREs 1 Malware 8 IOCs 8 Observables
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Kyber Ransomware Double Trouble: Windows and ESXi Attacks … related

19 MITREs 1 Malware 3 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
Takes Aim at the Ransomware Throne related

AlienVault Confidence 100 20 MITREs 3 Malwares 2 IOCs 2 Observables 1 APT

← Previous

Page / 4

1–12 of 37

Vulnerabilities (CVE) (31)

CVE-2025-2857 targets

10.0 Critical

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process …

Attack vector: Network
Complexity: Low
Published: 27/03/2025
Modified: 13/04/2026

CWE-668 Awaiting Analysis

CVE-2026-1281 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Published: 29/01/2026
Modified: 27/03/2026

Analyzed

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

CVE-2026-1340 KEV targets

9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 29/01/2026
Modified: 10/04/2026

CWE-94 Received

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2021-21972 KEV targets

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

← Previous

Page / 3

25–31 of 31

T1070 subtechnique-of

Indicator Removal MITRE

Tool (1)

Wevtutil uses

The MITRE Corporation Confidence 100

[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

Contact About Legal notice Privacy policy Terms of use