S0645 Wevtutil
Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.1
| Item | Value |
|---|---|
| ID | S0645 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 14 September 2021 |
| Last Modified | 13 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | Wevtutil can be used to export events from a specific log.12 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.002 | Disable Windows Event Logging | Wevtutil can be used to disable specific event logs on the system.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Wevtutil can be used to clear system and security event logs from the system.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 3 |
References
-
Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021. ↩↩↩↩
-
F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020. ↩
-
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. ↩↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩