T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
WP-SHELLSTORM usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
4BID relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Aquatic Panda relatedThe MITRE Corporation Confidence 100
[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Black Hunt relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-1132 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL0P relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Chimera relatedThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
China-nexus APT relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dark Power relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Dire Wolf relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ForumTroll APT relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
WingtbCLI usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Underground usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mythic Apollo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
888 RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Impacket usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DUSTTRAP usesFamily The MITRE Corporation Confidence 100
[DUSTTRAP](https://attack.mitre.org/software/S1159) is a multi-stage plugin framework associated with [APT41](https://attack.mitre.org/groups/G0096) operations with multiple components.(Citation: Google Cloud APT41 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockBit 2.0 usesFamily The MITRE Corporation Confidence 100
[LockBit 2.0](https://attack.mitre.org/software/S1199) is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. [LockBit 2.0](https://attack.mitre.org/software/S1199) has versions capable…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SynAck usesFamily The MITRE Corporation Confidence 100
[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
NOOPDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FlockWiper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PipeMagic usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ClearWater usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
AlienVault Confidence 100 13 CVEs 20 MITREs 4 Malwares 6 IOCs 5 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 6 Malwares 10 IOCs 2 Observables
-
AlienVault Confidence 100 4 CVEs 17 MITREs 3 Malwares 9 IOCs 6 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 5 Malwares 20 IOCs 1 APT
-
AlienVault Confidence 100 20 MITREs 2 Malwares 9 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 8 Malwares 11 IOCs 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
1 CVE 20 MITREs 12 Malwares 6 Observables 1 APT
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
Vulnerabilities (CVE) (48)
VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process …
- Attack vector
- Network
- Complexity
- Low
- Published
- 27/03/2025
- Modified
- 13/04/2026
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Published
- 29/01/2026
- Modified
- 27/03/2026
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked …
- Attack vector
- NETWORK
- Published
- 24/07/2025
- Modified
- 13/07/2026
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 02/07/2026
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …
- Attack vector
- Network
- Published
- 27/03/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …
- Attack vector
- Network
- Published
- 18/10/2023
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/01/2026
- Modified
- 10/04/2026
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …
- Published
- 03/11/2021
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via …
- Attack vector
- Network
- Complexity
- Low
- Published
- 05/06/2026
- Modified
- 13/07/2026
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)