Find machines with running Print Spooler service, or that could be

SELECT name, display_name, start_type, path, status, user_account,
CASE
WHEN status = 'RUNNING' THEN 'Stop service to end exposure to unpatched vulnerabilities inc. Print Nightmare'
END AS SpoolerCheck,
CASE
WHEN start_type != 'Disabled' THEN 'Set Spooler service to DISABLED to prevent it from starting'
END AS ServiceCheck
FROM services
WHERE name = 'Spooler' AND (status = 'RUNNING' OR start_type != 'DISABLED')

j0hnV

j0hnV over 3 years ago

The first query was a copy of the canned script, "Services installed on the device", which looks like

SELECT
name,
display_name,
start_type,
path,
status,
user_account
FROM services

To which I added the WHERE line. The example from our query desk https://news.sophos.com/en-us/2021/07/01/printnightmare-vulnerability-what-to-do/ inspired to add suggestions for actions.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

Uncategorized

Anomalies

ATT&CK

Cloud Optix

Compliance

Data Lake

Device

Email

Events

Files

Live Response

Network

Other queries

Processes

Query Tips

Registry

Threat Hunting

User

Find machines with running Print Spooler service, or that could be