Windows Event ID 1102
Windows Event ID 1102
One-liner: A Windows Security Event indicating the Security audit log was clearedβa strong indicator of attacker anti-forensics activity.
π― What Is It?
Windows Event ID 1102 is generated whenever the Security event log is cleared. This is a critical detection opportunity because:
- Attackers clear logs to hide their tracks after compromise
- It's part of the Defense Evasion tactic (MITRE T1070.001)
- Legitimate log clearing is rare and should be documented
- The event itself survives the log clearing operation
Channel: Security
MITRE ATT&CK: T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
π¬ How It Works
Event Details
<Event>
<System>
<EventID>1102</EventID>
<Channel>Security</Channel>
<Computer>WKSTN-1.domain.local</Computer>
</System>
<UserData>
<LogFileCleared>
<SubjectUserName>attacker</SubjectUserName>
<SubjectDomainName>DOMAIN</SubjectDomainName>
<SubjectLogonId>0x3e7</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>
Key Fields
| Field | Description |
|---|---|
SubjectUserName |
Account that cleared the logs |
SubjectDomainName |
Domain of the account |
SubjectLogonId |
Logon session ID (correlate with Event ID 4624) |
Common Methods Attackers Use
# Windows Command Prompt
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
# PowerShell
Clear-EventLog -LogName Security
[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog("Security")
# Clear all logs
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
π΅οΈ Detection & Hunting
KQL Query (from THM Threat Hunting Foothold)
host.name: WKSTN-* AND winlog.event_id: 1102
Investigation Steps
- Identify who cleared the logs (SubjectUserName)
- Correlate with preceding events using Logon ID
- Check other log sources (Sysmon, PowerShell, network)
- Use "View Surrounding Documents" in Kibana to see what happened before
Correlating with Command Execution
Look for the command that cleared the logs:
# Find wevtutil or Clear-EventLog execution
host.name: WKSTN-* AND (process.name: wevtutil.exe OR *Clear-EventLog*)
π Related Event IDs
| Event ID | Log | Description |
|---|---|---|
| 1102 | Security | Security log cleared |
| 104 | System | System log cleared |
| 1100 | Security | Event logging service shutdown |
| 4719 | Security | System audit policy changed |
π€ Interview Angles
Common Questions
- "How would you detect if an attacker cleared Windows logs?"
- "What's the significance of Event ID 1102?"
- "How can you recover evidence if logs are cleared?"
STAR Story
Situation: During incident response, we noticed gaps in Security event logs on a compromised workstation.
Task: Determine if logs were intentionally cleared and recover what happened.
Action: Found Event ID 1102 showing Security log was cleared by a local admin account. Used the SubjectLogonId to correlate with Sysmon logs (which weren't cleared) and found the attacker's commands. Also pulled logs from the SIEM where they had been forwarded before deletion.
Result: Recovered full attack timeline despite local log deletion. Implemented real-time log forwarding and alerting on Event ID 1102.
β Best Practices
- Forward logs in real-time to SIEM before attackers can clear them
- Alert immediately on Event ID 1102 β it's almost never legitimate
- Correlate with Sysmon logs (attackers often forget to clear Sysmon)
- Restrict log clearing permissions to specific admin accounts
- Monitor for wevtutil.exe and Clear-EventLog execution
β Common Misconceptions
- "Clearing logs destroys all evidence" β Event 1102 survives; Sysmon/SIEM may have copies
- "Admins clear logs regularly" β Should be rare and documented; still investigate
- "Only Security log matters" β Check System (104) and Application too
π Related Concepts
π References
- MITRE ATT&CK T1070.001: https://attack.mitre.org/techniques/T1070/001/
- Microsoft Security Event ID 1102 Documentation
- SANS Windows Forensic Analysis