Winlogon CachedLogonsCount Registry Manipulation Via CLI

Rule Info

Name
Winlogon CachedLogonsCount Registry Manipulation Via CLI
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects command-line manipulation of the CachedLogonsCount registry value under the Winlogon key through commandline. This value controls how many domain credential sets Windows caches locally. Setting it to zero disables caching entirely, forcing direct domain controller authentication. Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
Reference
https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-credentials-security-risk
Date
2026-05-04 00:00:00
Modified
None
Id
7c2e4f91-b3a8-4d6e-9f05-e8c1b2a74d38
Tags
attack.defense-impairment attack.persistence attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022