| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Wevtutil can be used to export events from a specific log.[1][2] | |
| Enterprise | T1562 | .002 | Impair Defenses:Disable Windows Event Logging | Wevtutil can be used to disable specific event logs on the system.[1] |
| Enterprise | T1070 | .001 | Indicator Removal:Clear Windows Event Logs | Wevtutil can be used to clear system and security event logs from the system.[1][3] |
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | |
| G0143 | Aquatic Panda | Aquatic Panda usesWevtutil to extract Windows security event log data from victim machines.[4] |
| G1017 | Volt Typhoon | |
| G1040 | Play | |
| G0129 | Mustang Panda | Mustang Panda has leveragedWevtutil to gather information about usernames and Windows Security Event logs.[8] |
| ID | Name | Description |
|---|---|---|
| C0014 | Operation Wocao | DuringOperation Wocao, threat actors usedWevtutil to delete system and security event logs with |