-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathhuntPrintSpoolerVuln
30 lines (29 loc) · 1.12 KB
/
huntPrintSpoolerVuln
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/*
--author: @jkopacko
+= Descriptive names: N/A
+= Variable type: N/A
+= Value: N/A
+= Version 1.0 - N/A
+= Query type: Live Discover
+= OS Support: Windows
*/
SELECT services.display_name AS ServiceName, services.status, services.start_type,
CASE
WHEN services.status = 'RUNNING' THEN 'Stop spooler service from running'
ELSE 'Wait for Windows Patch'
END AS CurrentServiceAdvice,
CASE
WHEN services.start_type != 'DISABLED' THEN 'Set spooler service startup type to disabled'
ELSE 'Wait for Windows Patch'
END AS CurrentStartUpAdvice,
CASE
WHEN win_update.kbarticle = 'KB5003637' THEN 'Protected against CVE-2021-1675'
WHEN win_update.kbarticle = 'KB5005010' THEN 'Protected against CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004237' THEN 'Protected against CVE-2021-1675 & CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004954' THEN 'Protected against CVE-2021-34527'
WHEN win_update.kbarticle = 'KB5004298' THEN 'Protected against CVE-2021-1675 & CVE-2021-34527'
ELSE 'KB does not affect vulnerability'
END AS WindowsKBApplied
FROM services
JOIN win_update
WHERE services.name = 'Spooler'