S0645: Wevtutil
Analyst context for executives and security teams
Wevtutil is a legitimate Windows administration utility for working with event logs. Its security significance is that the same trusted tool can support both normal operations and adversary objectives, especially collecting local log data or impairing evidence by modifying or clearing Windows Event Logs. For leaders, this matters because loss of trustworthy Windows logs weakens incident response, audit evidence, and the ability to reconstruct an intrusion.
Executive priority
Prioritize Wevtutil coverage as a logging integrity and incident-readiness control, not as a malware-only problem. The relationships supplied by ATT&CK connect this tool to multiple groups and a campaign, and to techniques for local data collection and Windows Event Log impairment. Executives should ask whether critical Windows systems forward logs off-host, whether administrative use of log-management utilities is governed, and whether the SOC can prove visibility before and after a suspected log-clearing event.
Technical view
For Windows environments, validate visibility into Wevtutil process execution, command-line arguments, parent process, user context, host role, and whether activity aligns with approved administration. ATT&CK provides no official detection text for this object, so detections should be built around the related techniques: Data from Local System, Disable or Modify Windows Event Log, and Clear Windows Event Logs. SOC and IR teams should distinguish expected administrative log queries from suspicious modification or clearing behavior, especially when performed by unusual accounts, from unusual parent processes, or on sensitive servers.
Likely telemetry
- Windows process creation telemetry including executable name, command line, parent process, user, integrity/admin context, and host
- Windows Event Log records showing log clearing, modification, service changes, or gaps in expected logging
- Centralized log forwarding/SIEM ingestion status to confirm whether events survived local log tampering
- Endpoint detection telemetry for command-line utility execution and sequence context around the activity
- Administrative access records showing who had privileges to manage or clear event logs
Detection direction
- Inventory legitimate Wevtutil usage patterns by administrators and management tooling before writing high-severity alerts.
- Alert on Wevtutil activity associated with clearing or modifying Windows Event Logs, especially on servers, identity infrastructure, security tooling hosts, or other high-value systems.
- Correlate suspicious Wevtutil execution with authentication events, privilege use, remote administration, and sudden drops or gaps in log volume.
- Treat log clearing as an investigation trigger: local evidence may be incomplete, so compare endpoint telemetry with centralized logs and neighboring systems.
- Tune for false positives from approved maintenance, troubleshooting, or compliance log-management tasks; require change records or expected automation context where possible.
Mitigation priorities
- Restrict who can manage or clear Windows Event Logs through least-privilege administrative access.
- Forward important Windows logs to centralized, access-controlled storage so local clearing does not erase investigative evidence.
- Monitor and review privileged administrative activity involving event log configuration, clearing, or export.
- Define incident response procedures for suspected log impairment, including preservation of centralized telemetry and review of affected host trustworthiness.
- Maintain audit evidence showing log collection, retention, access control, and alerting for log tampering scenarios.
Analyst notes and limits
This is a dual-use Windows utility, so the risk comes from context rather than the file name alone. The supplied ATT&CK relationships associate Wevtutil with a campaign, multiple groups, and techniques for collection and defense impairment. Because the official object has no ATT&CK detection guidance and no tool-level tactics listed, local baselines and control validation are essential.
The supplied MITRE object provides a short description and no official detection text. It supports Windows as the platform for Wevtutil, but does not by itself prove malicious use in any specific environment. Detection quality depends on local command-line logging, centralized log retention, endpoint telemetry, and administrative process maturity.
Wevtutil
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | Wevtutil can be used to disable specific event logs on the system.CitationWevtutil Microsoft Documentation |
| Enterprise | T1005 | Data from Local System | Wevtutil can be used to export events from a specific log.CitationWevtutil Microsoft DocumentationCitationF-Secure Lazarus Cryptocurrency Aug 2020 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Wevtutil can be used to clear system and security event logs from the system.CitationWevtutil Microsoft DocumentationCitationCrowdstrike DNC June 2016 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G0143: Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
G1040: Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
G0129: Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
C0014: Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 323f794c8d35… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Wevtutil Microsoft Documentation
Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
Open source URL -
[2]
mitre-attack S0645Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.