1. Home
  2. Software
  3. Wevtutil

Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

ID: S0645
Type: TOOL
Platforms: Windows
Contributors: Viren Chaudhari, Qualys; Harshal Tupsamudre, Qualys
Version: 1.0
Created: 14 September 2021
Last Modified: 21 September 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Wevtutil can be used to export events from a specific log.[1][2]
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Wevtutil can be used to disable specific event logs on the system.[1]
Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

Wevtutil can be used to clear system and security event logs from the system.[1][3]

Groups That Use This Software

ID Name References
G0007 APT28

[3]

References

  1. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  2. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  1. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.