Shared over on #C811PUZU4 but we shared a blog/query on RCE vulnerability CVE-2020-1350, check the status of this vuln across your fleet: https://www.uptycs.com/blog/addressing-critical-windows-dns-server-remote-code-execution-vulnerability-cve-2020-1350

WITH vulnerable AS (
  SELECT 'CVE-2020-1350' AS id,
    CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END os_vulnerable
  FROM os_version
  WHERE major >= 6 
    AND codename LIKE '%Server%'
), installed AS (
  SELECT 'CVE-2020-1350' AS id,
    CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END dns_installed
  FROM services
  WHERE name = 'DNS'
), workaround AS (
  SELECT 'CVE-2020-1350' AS id,
    CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END workaround_configured
  FROM registry
  WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters'
    AND name = 'TcpReceivePacketSize'
    AND CAST(data AS int) <= 65280
), patched AS (
  SELECT 'CVE-2020-1350' AS id,
    CASE WHEN count(*) > 0 THEN 'TRUE' ELSE 'FALSE' END is_patched
  FROM patches
  WHERE hotfix_id IN ( 'KB4558998', 'KB4565483', 'KB4565503', 'KB4565511','KB4565524', 'KB4565529', 'KB4565535', 'KB4565536', 'KB4565537', 'KB4565539', 'KB4565540', 'KB4565541' )
)
SELECT * FROM vulnerable JOIN installed USING (id), workaround USING (id), patched USING (id)