[New Rule] Abnormal Process ID File Creation (#1964)

* adding rule detection

* changed Rule ID

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot extension as well.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Adding reboot to description.

Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Added additional reference to similar threat.

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added rule for a process starting where the executable's name represented a PID file

* Adjusted user.id value from integer to string

* Added simple investigation notes and osquery coverage

* TOML linting

* Updated date to reflect recent changes

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 1704924f7b)

rules/linux/execution_process_started_from_process_id_file.toml

@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2022/05/11"
+maturity = "production"
+updated_date = "2022/05/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage
+paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous
+copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables
+and other tasks, disguising itself or these files as legitimate PID files.
+"""
+false_positives = [
+    """
+    False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not
+    inherently be executables that spawn processes.
+    """,
+]
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Process Started from Process ID (PID) File"
+note = """## Triage and analysis
+
+### Investigating Process Started from Process ID (PID) File
+Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:
+- Examine parent and child process relationships of the new process to determine if other processes are running.
+- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';"
+- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation."""
+references = [
+    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
+    "https://twitter.com/GossiTheDog/status/1522964028284411907",
+    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+]
+risk_score = 73
+rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and user.id == "0" and process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)"""
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+