-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path0226D5.xml
More file actions
20 lines (20 loc) · 803 Bytes
/
Copy path0226D5.xml
File metadata and controls
20 lines (20 loc) · 803 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<ViewerConfig>
<QueryConfig>
<QueryParams>
<UserQuery />
</QueryParams>
<QueryNode>
<Name>NTLMv1 Authentications</Name>
<Description>NTLMv1 (Windows New Technology LAN Manager) Authentications</Description>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4624)]] and
*[EventData[Data[@Name="TargetUserName"]!="ANONYMOUS LOGON"]] and
*[EventData[Data[@Name="LmPackageName"]="NTLM V1"]]
</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>