Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

ID: S0645
Type: TOOL
Platforms: Windows
Contributors: Viren Chaudhari, Qualys; Harshal Tupsamudre, Qualys
Version: 1.1
Created: 14 September 2021
Last Modified: 13 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Wevtutil can be used to export events from a specific log.[1][2]

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Wevtutil can be used to disable specific event logs on the system.[1]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Wevtutil can be used to clear system and security event logs from the system.[1][3]

Groups That Use This Software

ID Name References
G0007 APT28


G1017 Volt Typhoon



ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used Wevtutil to delete system and security event logs with wevtutil cl system and wevtutil cl security.[5]