Winlogon CachedLogonsCount Registry Value Set To Zero

Rule Info

Name
Winlogon CachedLogonsCount Registry Value Set To Zero
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects registry set events where the CachedLogonsCount value under the Winlogon key is set to zero. This disables Windows cached domain credentials, forcing direct domain controller authentication. Threat actors may abuse this to prevent offline authentication or to hinder forensic credential recovery post-compromise.
Reference
https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-credentials-security-risk
Date
2026-05-04 00:00:00
Modified
None
Id
ac235f2e-6fcb-46cf-b25d-78f37df9ebe7
Tags
attack.defense-impairment attack.persistence attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022