-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path049517.xml
21 lines (21 loc) · 938 Bytes
/
049517.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<ViewerConfig>
<QueryConfig>
<QueryParams>
<UserQuery />
</QueryParams>
<QueryNode>
<Name>Legacy Kerberos Ticket Encryption Types</Name>
<Description>Legacy Kerberos Ticket Encryption Types: DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC, RC4-HMAC-EXP</Description>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4768)]] and
*[EventData[Data[@Name="TicketEncryptionType"]!="0x11"]] and
*[EventData[Data[@Name="TicketEncryptionType"]!="0x12"]] and
*[EventData[Data[@Name="TicketEncryptionType"]!="0xffffffff"]]
</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>