Software Name: WEVTUTIL

Description: The ‘wevtutil.exe’ is a Windows command-line utility that enables administrators to

retrieve information about event logs and publishers. This utility can also be used to install and uninstall
event manifests, to run queries, and to export, archive, disable and clear logs.
(https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)
Adversaries typically use the ‘wevtutil’ utility to enumerate, clear, disable or export specific logs.

Platform: Windows

Techniques:

Data from Local System (T1005) – The ‘wevtutil epl [log name]’ or ‘wevtutil export-log [log name]’
command can be used to export events from a specific log.

Indicator Removal on Host: Clear Windows Event Logs (T1070.001) – The ‘wevtutil cl [log name]’ or
‘wevtutil clear-log [log name]’ command can be used to clear security, system, and security related
event logs from the system.

Impair Defenses: Indicator Blocking (T1562.006) – The ‘wevtutil.exe sl [log name] /e:false’ or
‘wevtutil.exe set-log /e:false [log name]’ can be used to disable specific event logs on the system.

Adversary Use:

G0007-APT28: APT28 has cleared event logs by using the commands ‘wevtutil cl System’ and ‘wevtutil cl
Security’. (https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)

G0032-Lazarus Group: Lazarus Group has used ‘wevtutil epl Security’ command to export Window
security event log. (https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-
intel-report2.pdf)

S0365-Olympic Destroyer: Olympic destroyer has deleted the system and security windows event logs
using ‘wevtutil cl System’ and ‘wevtutil cl Security’ commands.
(https://blog.talosintelligence.com/2018/02/olympic-destroyer.html)

S0368-NotPetya: Not-Petya has cleaned multiple event logs on the compromised device using the
commands ‘wevtutil cl Setup’, ‘wevtutil cl System’, ‘wevtutil cl Security’ and ‘wevtutil cl Application’.
(https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html)

S0372-LockerGoga: LockerGoga ransomware has disabled Event Tracing for Windows (ETW) using
‘wevtutil.exe set-log /e:false Microsoft-Windows-WMI-Activity/Trace’ command.
(https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1562-impair-
defenses)

S0400-RobinHood: Robinhood has used ‘wevtutil cl’ command to clear cleared application, security and
system logs. (https://labs.sentinelone.com/robinhood-ransomware-coolmaker-function-not-cool/)
WastedLocker: WastedLocker has used ‘wectutil cl’ command to clear the contents of local security
event log on systems. (https://blog.talosintelligence.com/2020/07/wastedlwevtutil.exe" sl Security
/e:false ocker-emerges.html)

KillDisk: KillDisk ransomware has cleared multiple event logs using ‘wevtutil clear-log’ command before
starting encryption. The commands used were ‘wevtutil clear-log application’, ‘wevtutil clear-log
security’, ‘wevtutil clear-log setup’ and ’wevtutil clear-log system’.
(https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-killdisk-ransomware-part-1-
whitelisting/)

RansomEXX (Defray777): RansomEXX has used ‘wevtutil cl’ command to clear multiple event logs from
the system. It also disabled the security event log using the command ‘wevtutil.exe sl Security /e:false’
command. (https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware,
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/)

Dharma (Crysis): Dharma ransomware has used ‘wevtutil el’ command to enumerate all logs on the
system and cleared them using ‘wevtutil cl’ command. (https://thedfirreport.com/2020/06/16/the-little-
ransomware-that-couldnt-dharma/)

Epsilon Red: Epsilon Red ransomware has cleared application, security and system event logs using
‘wevtutil cl’ command. (https://news.sophos.com/en-us/2021/05/28/epsilonred/)

Clop: Clop ransomware has used ‘wevtutil el’ command to enumerate all logs on the system which were
then cleared them using ‘wevtutil cl’ command.
(https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html)