Wevtutil
ID: S0645
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Contributors: Viren Chaudhari, Qualys; Harshal Tupsamudre, Qualys
Version: 1.2
Created: 14 September 2021
Last Modified: 25 September 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Wevtutil can be used to export events from a specific log.[1][2] | |
| Enterprise | T1562 | .002 | Impair Defenses:Disable Windows Event Logging | Wevtutil can be used to disable specific event logs on the system.[1] |
| Enterprise | T1070 | .001 | Indicator Removal:Clear Windows Event Logs | Wevtutil can be used to clear system and security event logs from the system.[1][3] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | |
| G0143 | Aquatic Panda | Aquatic Panda usesWevtutil to extract Windows security event log data from victim machines.[4] |
| G1017 | Volt Typhoon | |
| G1040 | Play | |
| G0129 | Mustang Panda | Mustang Panda has leveragedWevtutil to gather information about usernames and Windows Security Event logs.[8] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0014 | Operation Wocao | DuringOperation Wocao, threat actors usedWevtutil to delete system and security event logs with |
References
- Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
- Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
×