Update standard-query-library.yml (#2036)

* Update standard-query-library.yml

Added new queries to library

* sentence-case capitalization + standardize first word in name

* andrewbare => alphabrevity (so your picture shows up correctly on the website)

Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com>

docs/1-Using-Fleet/standard-query-library/standard-query-library.yml

@@ -440,9 +440,62 @@ spec:
 apiVersion: v1
 kind: query
 spec:
-  name: Find deleted files from disk
+  name: Get processes that no longer exist on disk
   platforms: Linux, macOS, Windows
   description: Lists all processes of which the binary which launched them no longer exists on disk. Attackers often delete files from disk after launching process to mask presence.
   query: SELECT name, path, pid FROM processes WHERE on_disk = 0;
   purpose: Incident response
   contributors: alphabrevity
+  ---
+apiVersion: v1
+kind: query
+spec:
+  name: Get user files matching a specific hash
+  platforms: macOS, Linux
+  Description:  Looks for specific hash in the Users/ directories for files that are less than 50MB (osquery file size limitation.)
+  query: SELECT path,sha256 FROM hash WHERE path in (SELECT path FROM file WHERE size < 50000000 AND path LIKE ""/Users/%/Documents/%%"") AND sha256 = ""16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75"";
+  purpose: Informational
+  contributors: alphabrevity
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get local administrator accounts on macOS
+  platforms: macOS
+  description: The query allows you to check macOS systems for local administrator accounts. 
+  query: SELECT uid, username, type, groupname FROM users u JOIN groups g ON g.gid = u.gid;
+  purpose: Informational
+  contributors: alphabrevity
+—--
+apiVersion: v1
+kind: query
+spec:
+  name: Get all listening ports, by process
+  platforms: Linux, macOS, Windows
+  Description: List ports that are listening on all interfaces, along with the process to which they are attached.
+  query: SELECT lp.address, lp.pid, lp.port, lp.protocol, p.name, p.path, p.cmdline FROM listening_ports lp JOIN processes p ON lp.pid = p.pid WHERE lp.address = "0.0.0.0";
+  purpose: Informational 
+  contributors: alphabrevity
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Detect if TeamViewer is installed/running
+  platforms: Windows
+  description: Description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.
+  query: SELECT display_name,status,s.pid,p.path FROM services AS s JOIN processes AS p USING(pid) WHERE s.name LIKE "%teamviewer%";
+  purpose: Detection
+  contributors: alphabrevity
+---
+apiVersion: v1
+kind: query
+spec:
+  name: Get malicious Python backdoors
+  platforms: macOS, Linux, Windows
+  description: Watches for the backdoored Python packages installed on system. See (http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html)
+  query: select case cnt when 0 then "NONE_INSTALLED" else "INSTALLED" end as "Malicious Python Packages",package_name,package_version from (select count(name) as  cnt,nameas package_name,version as package_version,path as package_pathfrom python_packages where package_name in ('acqusition','apidev-coop','bzip','crypt','django-server','pwd','setup-tools','telnet','urlib3','urllib'));
+  purpose: Informational
+  contributors: alphabrevity
+---
+
+