T1070.001: T1070.001
Essential information
- MITRE technique ID
T1070.001- Confidence
- 100/100
- Revoked
- No
- Published
- 28/01/2020 18:05
- Modified
- 17/04/2026 13:15
- Author / Source
- The MITRE Corporation
Aliases
Clear Windows Event Logs
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (50)
-
WEBJACK relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Water Bakunawa relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
FaceFish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TukTuk usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Olympic Destroyer usesFamily The MITRE Corporation Confidence 100
[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PsExec usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FinFisher usesFamily The MITRE Corporation Confidence 100
[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ShrinkLocker usesFamily The MITRE Corporation Confidence 100
[ShrinkLocker](https://attack.mitre.org/software/S1178) is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. [ShrinkLocker](https://attack.mitre.org/software/S1178) functions by using Bitlocker to encrypt files,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomNet usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Nitrogen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LV usesThe MITRE Corporation Confidence 100
[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)
First seen 01/01/1970 · Last seen 16/11/5138 · -
HRSword usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NetExec usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
AlienVault Confidence 100 1 CVE 18 MITREs 4 Malwares 9 IOCs 9 Observables
-
12 CVEs 20 MITREs 2 Malwares 4 Observables 1 APT
-
AlienVault Confidence 100 15 MITREs 1 Malware 8 IOCs 8 Observables
-
AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
-
19 MITREs 1 Malware 3 Observables 1 APT
-
46 MITREs 6 Malwares 27 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 2 IOCs 2 Observables 1 APT
-
11 MITREs 4 Malwares 34 Observables 1 APT
-
21 MITREs 3 Malwares 14 Observables 1 APT
-
17 MITREs 1 Malware 1 APT
-
11 MITREs 1 Malware 1 APT
-
11 MITREs 2 Malwares 1 APT
Vulnerabilities (CVE) (48)
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This …
- Attack vector
- NETWORK
- Published
- 04/08/2023
- Modified
- 08/05/2026
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file …
- Attack vector
- Network
- Published
- 19/11/2025
- Modified
- 13/07/2026
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 16/05/2025
- Modified
- 17/04/2026
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated …
- Attack vector
- Network
- Complexity
- Low
- Published
- 06/05/2026
- Modified
- 15/05/2026
Microsoft Windows Win32 Kernel Subsystem contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 11/03/2025
- Modified
- 21/12/2025
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
- Published
- 13/07/2026
Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.
- Attack vector
- Network
- Published
- 24/01/2024
- Modified
- 21/12/2025
Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.
- Attack vector
- Local
- Published
- 08/04/2025
- Modified
- 21/12/2025
Tool (1)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)