HowTo Verify your Domain isn’t using LM or NTLMv1

14th April 2023

some explan goes here

open your fav MMC console OR start, run, mmc.exe (enter)

File, Add / Remove Snap In
In the left pane choose Computer Management
In the Select a Computer Dialog, select Another Computer and type the FQDN (Fully Qualified Domain Name) of your Domain Controller, Finish, OK

Open System tools, Event Viewer
Right click Event Viewer, Create Custom View
Click the XML tab, click the “Edit Query Manually” box
Click Yes to any warning you get

Paste the following into the box

Stooopid WordPress won’t let me paste the text in here so just get it from the source linked below

https://gist.github.com/jschlackman/90937d34850159269c46c7a799fb878b

Login Auth LM past 30 days:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4776 or EventID=4624 or EventID=4625) 
      and TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]
      and
      *[EventData[Data[@Name="AuthenticationPackageName"]="NTLM"]]
      and
      *[EventData[Data[@Name="LmPackageName"]="LM"]]
    </Select>
  </Query>
</QueryList>

Login Auth NTLMv1 past 7 days:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4776 or EventID=4624 or EventID=4625) 
      and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]
      and
      *[EventData[Data[@Name="AuthenticationPackageName"]="NTLM"]]
      and
      *[EventData[Data[@Name="LmPackageName"]="NTLM V1"]]
    </Select>
  </Query>
</QueryList>

Login Auth NTLMv2 past 7 days:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4776 or EventID=4624 or EventID=4625) 
      and TimeCreated[timediff(@SystemTime) &lt;= 604800000]]]
      and
      *[EventData[Data[@Name="AuthenticationPackageName"]="NTLM"]]
      and
      *[EventData[Data[@Name="LmPackageName"]="NTLM V2"]]
    </Select>
  </Query>
</QueryList>