1. Home
  2. Software
  3. Wevtutil

Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

ID: S0645
Type: TOOL
Platforms: Windows
Contributors: Viren Chaudhari, Qualys; Harshal Tupsamudre, Qualys
Version: 1.1
Created: 14 September 2021
Last Modified: 13 October 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Wevtutil can be used to export events from a specific log.[1][2]
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Wevtutil can be used to disable specific event logs on the system.[1]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Wevtutil can be used to clear system and security event logs from the system.[1][3]

Groups That Use This Software

ID Name References
G0007 APT28

[3]
G1017 Volt Typhoon

[4]

Campaigns

ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used Wevtutil to delete system and security event logs with wevtutil cl system and wevtutil cl security.[5]

References

  1. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  2. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  3. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  1. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.