S0645 Wevtutil
Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.1
| Item | Value |
|---|---|
| ID | S0645 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 14 September 2021 |
| Last Modified | 25 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | Wevtutil can be used to export events from a specific log.13 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.002 | Disable Windows Event Logging | Wevtutil can be used to disable specific event logs on the system.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Wevtutil can be used to clear system and security event logs from the system.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 2 |
| G0143 | Aquatic Panda | Aquatic Panda uses Wevtutil to extract Windows security event log data from victim machines.5 |
| G1017 | Volt Typhoon | 76 |
| G1040 | Play | 8 |
| G0129 | Mustang Panda | Mustang Panda has leveraged Wevtutil to gather information about usernames and Windows Security Event logs.9 |
References
-
Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021. ↩↩↩↩
-
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. ↩↩
-
F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. ↩
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩
-
NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. ↩
-
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. ↩
-
Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. ↩