From 1decb2a56ffa966671050dd41705d5fc1e3a4a20 Mon Sep 17 00:00:00 2001
From: AndrewB <salesexec09@gmail.com>
Date: Tue, 27 Jul 2021 09:33:33 -0400
Subject: [PATCH] Add "Find deleted files from disk" to Standard query library
 (#1481)

---
 .../standard-query-library/standard-query-library.yml  | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
index 6c625f272d..a7f429375e 100644
--- a/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/1-Using-Fleet/standard-query-library/standard-query-library.yml
@@ -436,3 +436,13 @@ spec:
   query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
   purpose: Informational
   contributors: noahtalerman
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Find deleted files from disk
+  platforms: Linux, macOS, Windows
+  description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
+  query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
+  purpose: Incident response
+  contributors: alphabrevity