EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 1102T1070

Event ID 1102 — Security Audit Log Cleared

Event ID 1102 is logged when the Windows Security event log is cleared. While administrators sometimes clear logs for maintenance, this event is a strong indicator of an active attacker attempting to cover their tracks.

MITRE ATT&CK

Technique

T1070 · Indicator Removal

Tactic

Defense Evasion

View on attack.mitre.org →

Security Relevance

Clearing the audit log destroys forensic evidence of what the attacker did before the clear. This is a classic anti-forensics technique used by attackers after gaining admin access. A cleared log means you may have lost visibility into earlier malicious activity including credential attacks, privilege escalation, and persistence installation.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  1102
Level:     Information

The audit log was cleared.

Subject:
  Security ID:   CORP\j.smith
  Account Name:  j.smith
  Account Domain: CORP
  Logon ID:      0x72A4F

Investigation Steps

  1. 1.Identify who cleared the log — was it an expected administrator or an unusual account?
  2. 2.Check the logon ID to determine what session cleared the log and where it originated.
  3. 3.Look for Event ID 4624 entries before the clear to understand how the account accessed the system.
  4. 4.Review other logs (System, Application, PowerShell) that may not have been cleared.
  5. 5.Check for Event ID 4688 (process creation) near the time of the clear — wevtutil.exe is commonly used.
  6. 6.Assume that activity before the clear may be unrecoverable — document what is known and escalate.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Forward logs to a SIEM or remote syslog server in real time so clearing local logs doesn't destroy all evidence.
  • Restrict log-clearing permissions — only specific service accounts should have SeSecurityPrivilege.
  • Enable alerting on Event ID 1102 in your SIEM — this should always page an analyst.
  • Review audit policy to ensure logs are protected and sized appropriately (minimum 1GB for Security log).
  • Investigate the account that cleared the log for signs of compromise.

Related Event IDs

1100Event logging service shut down — another log-tampering indicator
4688Process created — look for wevtutil.exe or Clear-EventLog usage
4624Successful logon — trace how the attacker's session was established
4672Special privileges assigned — confirms admin-level access to clear logs

Related Detection Guides

Ransomware IndicatorsLateral MovementWindows Defender Disabled or TamperedEvent ID 4794 — DSRM Account Password Change

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →