Built off the open source project Osquery
Description: This query checks if the registry value (EnableTrailerSupport) is set or not. If this value is set, it is most likely the asset is vulnerable to this critical vulnerability CVE-2022-21907
SELECTCASEWHEN EXISTS (SELECT *FROM registryWHERE key = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters' AND name = 'EnableTrailerSupport')THEN 'VULNERABLE'ELSE 'NOT_VULNERABLE'END 'CVE-2022-21907_status';
@ralamer I must admit I found that SANS article a little confusing, so I checked out the MSFT link in the article and it made a lot more sense. In that vulnerability announcement, it states that the registry key in your query is only useful in mitigating this vulnerability in Windows Server 2019 and Windows 10, version 1809. Therefore, other vulnerable versions listed on that page would need to apply patches.
With that said, I think it would be good to modify your query to make it less prone to false negatives. Please let me know if you read things differently or have questions.