Skip to content

Instantly share code, notes, and snippets.

@jschlackman
Created July 10, 2019 14:23
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
XPath filter for the Windows Security event log to find logons using LM or NTLM V1
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LmPackageName'] and (Data='NTLM V1' or Data='LM')]]
</Select>
</Query>
</QueryList>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment