Professional Documents
Culture Documents
Platform: Windows
Techniques:
Data from Local System (T1005) – The ‘wevtutil epl [log name]’ or ‘wevtutil export-log [log name]’
command can be used to export events from a specific log.
Indicator Removal on Host: Clear Windows Event Logs (T1070.001) – The ‘wevtutil cl [log name]’ or
‘wevtutil clear-log [log name]’ command can be used to clear security, system, and security related
event logs from the system.
Impair Defenses: Indicator Blocking (T1562.006) – The ‘wevtutil.exe sl [log name] /e:false’ or
‘wevtutil.exe set-log /e:false [log name]’ can be used to disable specific event logs on the system.
Adversary Use:
G0007-APT28: APT28 has cleared event logs by using the commands ‘wevtutil cl System’ and ‘wevtutil cl
Security’. (https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)
G0032-Lazarus Group: Lazarus Group has used ‘wevtutil epl Security’ command to export Window
security event log. (https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-
intel-report2.pdf)
S0365-Olympic Destroyer: Olympic destroyer has deleted the system and security windows event logs
using ‘wevtutil cl System’ and ‘wevtutil cl Security’ commands.
(https://blog.talosintelligence.com/2018/02/olympic-destroyer.html)
S0368-NotPetya: Not-Petya has cleaned multiple event logs on the compromised device using the
commands ‘wevtutil cl Setup’, ‘wevtutil cl System’, ‘wevtutil cl Security’ and ‘wevtutil cl Application’.
(https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html)
S0372-LockerGoga: LockerGoga ransomware has disabled Event Tracing for Windows (ETW) using
‘wevtutil.exe set-log /e:false Microsoft-Windows-WMI-Activity/Trace’ command.
(https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1562-impair-
defenses)
S0400-RobinHood: Robinhood has used ‘wevtutil cl’ command to clear cleared application, security and
system logs. (https://labs.sentinelone.com/robinhood-ransomware-coolmaker-function-not-cool/)
WastedLocker: WastedLocker has used ‘wectutil cl’ command to clear the contents of local security
event log on systems. (https://blog.talosintelligence.com/2020/07/wastedlwevtutil.exe" sl Security
/e:false ocker-emerges.html)
KillDisk: KillDisk ransomware has cleared multiple event logs using ‘wevtutil clear-log’ command before
starting encryption. The commands used were ‘wevtutil clear-log application’, ‘wevtutil clear-log
security’, ‘wevtutil clear-log setup’ and ’wevtutil clear-log system’.
(https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-killdisk-ransomware-part-1-
whitelisting/)
RansomEXX (Defray777): RansomEXX has used ‘wevtutil cl’ command to clear multiple event logs from
the system. It also disabled the security event log using the command ‘wevtutil.exe sl Security /e:false’
command. (https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware,
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/)
Dharma (Crysis): Dharma ransomware has used ‘wevtutil el’ command to enumerate all logs on the
system and cleared them using ‘wevtutil cl’ command. (https://thedfirreport.com/2020/06/16/the-little-
ransomware-that-couldnt-dharma/)
Epsilon Red: Epsilon Red ransomware has cleared application, security and system event logs using
‘wevtutil cl’ command. (https://news.sophos.com/en-us/2021/05/28/epsilonred/)
Clop: Clop ransomware has used ‘wevtutil el’ command to enumerate all logs on the system which were
then cleared them using ‘wevtutil cl’ command.
(https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html)