Sophos Community
Site
User
Site
Search
User
Community & Product Forums
Intercept X Endpoint
Sophos Firewall
Sophos Central
Sophos Factory
Sophos Mobile
Sophos Cloud Optix
Sophos Sensor
Sophos Switch
Sophos Wireless
Sophos Email
UTM Firewall
Community Blogs & Events
Sophos Community Blog
Community Security Blog
Product Documentation Blog
Application Control
Getting Started
Sophos Partners
Sophos Partners Group
Member Recognition
Community Leaderboards
Sophos Techvids
Product Documentation
Visit docs.sophos.com
Support Portal
Sophos.com
More
Cancel
Intercept X Endpoint
Threat Hunting
PrintNightMare Hotfix Check
Release Notes & News
Discussions
Recommended Reads
Threat Hunting Academy
Early Access Programs
Live Discover & Response Query Forum
More
Cancel
New
Browse Live Response and Discover Queries by Category
Uncategorized
Anomalies
ATT&CK
Cloud Optix
Compliance
Data Lake
Device
Email
Events
Files
Live Response
Network
Other queries
Processes
Query Tips
Registry
Threat Hunting
User
Approved
11 months ago
View Status History
More
Cancel
PrintNightMare Hotfix Check
-- PrintNightMare Hotfix/Patch Check
SELECT DISTINCT services.display_name AS Service, services.status,
'List PrintNightMare Hotfix' TEST,
CAST(GROUP_CONCAT(hotfix_id, ' '||CHAR(10)) AS TEXT) Result,
CASE
WHEN hotfix_id = 'KB5004953' THEN 'Windows Server 2008 R2(Monthly Rollup), Windows 7, Windows Embedded Standard 7'
WHEN hotfix_id = 'KB5004951' THEN 'Windows Server 2008 R2, Server 2016, Windows 7, Windows Embedded Standard 7(Security Only)'
WHEN hotfix_id = 'KB5004955' THEN 'Windows Server 2008(Monthly Rollup)'
WHEN hotfix_id = 'KB5004959' THEN 'Windows Server 2008(Security Only)'
WHEN hotfix_id = 'KB5004958' THEN 'Windows Server 2012 R2, Windows 8.1(Security Only Update)'
WHEN hotfix_id = 'KB5004954' THEN 'Windows Server 2012 R2, Windows 8.1(Security Only Update)'
WHEN hotfix_id = 'KB5004945' THEN 'Windows 10, version 1903 and later, Windows Server, version 1903 and later, Windows 10 GDR-DU'
WHEN hotfix_id = 'KB5004950' THEN 'Windows 10 LTSB(Cumulative)'
WHEN hotfix_id = 'KB5004946' THEN 'Windows 10 version 1909(Cumulative)'
WHEN hotfix_id = 'KB5004947' THEN 'Windows 10 version 1809, Server 2019(Cumulative)'
ELSE 'Hotfix not installed'
END AS HotfixEvidence,
patches.description, patches.installed_on FROM patches, services WHERE hotfix_id IN ('KB5004953', 'KB5004951', 'KB5004955', 'KB5004959', 'KB5004958', 'KB5004954', 'KB5004945', 'KB5004950', 'KB5004946', 'KB5004947') AND services.display_name = 'Print Spooler'
Live Discover
threathunt
vulnerability
EDR
Windows
Jainidh Rajpal
7 Jul 2021
View Status History
More
Cancel