T1070.001: T1070.001

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 28/01/2020 18:05 · Modified 17/04/2026 13:15

Essential information

MITRE technique ID: T1070.001
Confidence: 100/100
Revoked: No
Published: 28/01/2020 18:05
Modified: 17/04/2026 13:15
Author / Source: The MITRE Corporation

Aliases

Clear Windows Event Logs

Platforms

windows

Description

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit. With administrator privileges, the event logs can be cleared with the following utility commands: * `wevtutil cl system` * `wevtutil cl application` * `wevtutil cl security` These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging) Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

disable_win_evt_logging
Microsoft Clear-EventLog
Microsoft EventLog.Clear
mitre-attack (T1070.001)
Microsoft wevtutil Oct 2017

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (47)

FunkSec related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
HAFNIUM related Operation Exchange MarauderSilk Typhoon

The MITRE Corporation Confidence 100

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RomCom related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RudePanda related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
STARDUST CHOLLIMA related NICKEL GLADSTONEBeagleBoyz

The MITRE Corporation Confidence 100

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Twelve related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Underground related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WEBJACK related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Bakunawa related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

37–47 of 47

FatalRAT uses

Family
BlackReaperRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackMatter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit 5.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XlAnyLoader uses

Family
EtherRAT uses

Family
KaWaLocker 2.0 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomEXX uses

Family
Dante uses

Family
NotPetya uses

Family
FaceFish uses

Family
TukTuk uses

Family

← Previous

Page / 6

1–12 of 72

WEBJACK: Evolving IIS Hijacking Campaign Abuses SEO for … related

11 MITREs 4 Malwares 34 Observables 1 APT
RONINGLOADER: DragonBreath's New Path to PPL Abuse related

21 MITREs 4 Malwares 14 Observables 1 APT
License to Encrypt: Make Their Move related

17 MITREs 1 Malware 1 APT
Underground Ransomware Being Distributed Worldwide related

11 MITREs 1 Malware 1 APT
Ransomware incidents in Japan during the first half … related

11 MITREs 2 Malwares 1 APT
Illusory Wishes: China-nexus APT Targets the Tibetan Community related

17 MITREs 2 Malwares 26 Observables 1 APT
Dire Wolf Strikes: New Ransomware Group Targeting Global … related

7 MITREs 1 Malware 2 Observables 1 APT
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT
Unmasking the new persistent attacks on Japan related

1 CVE 10 MITREs 1 Malware 3 Observables
Operation SalmonSlalom related

23 MITREs 6 Malwares 160 Observables
Confluence Exploit Leads to LockBit Ransomware related

4 CVEs 19 MITREs 1 Malware 15 Observables 1 APT
CL0P Ransomware: Latest Attacks related

1 CVE 35 MITREs 1 Malware 6 Observables 1 APT

← Previous

Page / 4

13–24 of 37

Vulnerabilities (CVE) (31)

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2023-39143 targets

9.8 Critical

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …

Attack vector: NETWORK
Published: 04/08/2023
Modified: 08/05/2026

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2025-0921 targets

6.5 Medium

Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …

Attack vector: Local
Complexity: LOW
Published: 16/05/2025
Modified: 17/04/2026

CWE-250

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2026-0300 KEV targets

9.3 Critical

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …

Attack vector: Network
Complexity: Low
Published: 06/05/2026
Modified: 15/05/2026

CWE-787 Received

CVE-2025-24983 KEV targets

7.0 High

Microsoft Windows Win32 Kernel Subsystem contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 11/03/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2026-1731 KEV targets

9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector: Network
Published: 13/02/2026
Modified: 20/02/2026

Received

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2025-29824 KEV targets

7.8 High

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 08/04/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-33538 KEV targets

8.8 High

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …

Attack vector: Network
Published: 16/06/2025
Modified: 21/12/2025

CVE-2024-50623 KEV targets

9.8 Critical

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …

Attack vector: Network
Published: 13/12/2024
Modified: 21/12/2025

Awaiting Analysis

← Previous

Page / 3

1–12 of 31

T1070 subtechnique-of

Indicator Removal MITRE

Tool (1)

Wevtutil uses

The MITRE Corporation Confidence 100

[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

Contact About Legal notice Privacy policy Terms of use