Skip to content

Instantly share code, notes, and snippets.

@jschlackman
Created July 10, 2019 14:23
Show Gist options
  • Save jschlackman/90937d34850159269c46c7a799fb878b to your computer and use it in GitHub Desktop.
Save jschlackman/90937d34850159269c46c7a799fb878b to your computer and use it in GitHub Desktop.
XPath filter for the Windows Security event log to find logons using LM or NTLM V1
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LmPackageName'] and (Data='NTLM V1' or Data='LM')]]
</Select>
</Query>
</QueryList>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment