How can I generate the correct XPath query for Event ID 4624 without writing it manually?

You can use Event Viewer (eventvwr.msc) to create a custom view with the desired filters (e.g., Event ID 4624 and username), then switch to the XML tab to automatically generate the XPath statement. The query can then be used in wevtutil or PowerShell. This method is described in the article under the wevtutil section: Analysis of SharpSniper Exploitation.