[New Hunt] Add Initial Linux Hunting Files (#3847)

* added 'Uncommon Process Execution from Suspicious Directory' hunt

* adds all linux hunting files

* moves linux hunting files to queries folder

* adds generated docs

* fixing windows hunts

* fixing windows hunts

* updated README

* Removed 2, updated a few, changed some names/descriptions and added list of str

* updated windows for language schema changes, regenerated docs; updated README and index

* changed UUIDs to hex only with standard hyphen format

* removing unecessary docs

* Fixed queries based on Samir feedback

* ++

* regenerating linux docs

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* Update

* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Updates

* regenerating linux docs

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit f0b2cb7c87)

hunting/linux/docs/persistence_reverse_bind_shells.md

@@ -0,0 +1,58 @@
+# Persistence Through Reverse/Bind Shells
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt provides several OSQuery queries that can aid in the detection of reverse/bind shells. Reverse shells are a type of shell in which the target machine communicates back to the attacking machine. Bind shells are a type of shell in which the target machine opens a communication port on the victim machine and waits for an attacker to connect to it. These shells can be used by attackers to gain remote access to a system.
+
+- **UUID:** `7422faf1-ba51-49c3-b8ba-13759e6bcec4`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[SQL]`
+
+## Query
+
+```sql
+SELECT (
+  CASE family 
+  WHEN 2 THEN 'IP4' 
+  WHEN 10 THEN 'IP6' 
+  ELSE family END
+) AS family, (
+  CASE protocol 
+  WHEN 6 THEN 'TCP' 
+  WHEN 17 THEN 'UDP' 
+  ELSE protocol END
+) AS protocol, local_address, local_port, 
+  remote_address, remote_port 
+FROM process_open_sockets 
+WHERE family IN (2, 10) 
+AND protocol IN (6, 17) 
+```
+
+```sql
+SELECT cmdline, name, path, pid, state, threads, total_size 
+FROM processes 
+WHERE cmdline != ''
+```
+
+```sql
+SELECT pid, address, port, socket, protocol, path FROM listening_ports
+```
+
+## Notes
+
+- The hunt provides OSQuery queries to detect reverse/bind shells on Linux systems.
+- The first hunt query retrieves information about open sockets on the system.
+- The second hunt query retrieves information about running processes on the system.
+- The third hunt query retrieves information about listening ports on the system.
+- Investigate strange or unexpected open sockets, processes, or listening ports on the system.
+- Use the information from each hunt to pivot and investigate further for potential reverse/bind shells.
+## MITRE ATT&CK Techniques
+
+- [T1059.004](https://attack.mitre.org/techniques/T1059/004)
+
+## License
+
+- `Elastic License v2`