separate rules to submodule (#304)

* rm: rules

* Add: hayabusa-rules to submodule

rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml

@@ -1,124 +0,0 @@
-
-title: Malicious PowerShell Commandlets
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
-  oscd.community (update)
-date: 2017/03/05
-description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-detection:
-  SELECTION_1:
-    ScriptBlockText:
-    - '*Invoke-DllInjection*'
-    - '*Invoke-Shellcode*'
-    - '*Invoke-WmiCommand*'
-    - '*Get-GPPPassword*'
-    - '*Get-Keystrokes*'
-    - '*Get-TimedScreenshot*'
-    - '*Get-VaultCredential*'
-    - '*Invoke-CredentialInjection*'
-    - '*Invoke-Mimikatz*'
-    - '*Invoke-NinjaCopy*'
-    - '*Invoke-TokenManipulation*'
-    - '*Out-Minidump*'
-    - '*VolumeShadowCopyTools*'
-    - '*Invoke-ReflectivePEInjection*'
-    - '*Invoke-UserHunter*'
-    - '*Find-GPOLocation*'
-    - '*Invoke-ACLScanner*'
-    - '*Invoke-DowngradeAccount*'
-    - '*Get-ServiceUnquoted*'
-    - '*Get-ServiceFilePermission*'
-    - '*Get-ServicePermission*'
-    - '*Invoke-ServiceAbuse*'
-    - '*Install-ServiceBinary*'
-    - '*Get-RegAutoLogon*'
-    - '*Get-VulnAutoRun*'
-    - '*Get-VulnSchTask*'
-    - '*Get-UnattendedInstallFile*'
-    - '*Get-ApplicationHost*'
-    - '*Get-RegAlwaysInstallElevated*'
-    - '*Get-Unconstrained*'
-    - '*Add-RegBackdoor*'
-    - '*Add-ScrnSaveBackdoor*'
-    - '*Gupt-Backdoor*'
-    - '*Invoke-ADSBackdoor*'
-    - '*Enabled-DuplicateToken*'
-    - '*Invoke-PsUaCme*'
-    - '*Remove-Update*'
-    - '*Check-VM*'
-    - '*Get-LSASecret*'
-    - '*Get-PassHashes*'
-    - '*Show-TargetScreen*'
-    - '*Port-Scan*'
-    - '*Invoke-PoshRatHttp*'
-    - '*Invoke-PowerShellTCP*'
-    - '*Invoke-PowerShellWMI*'
-    - '*Add-Exfiltration*'
-    - '*Add-Persistence*'
-    - '*Do-Exfiltration*'
-    - '*Start-CaptureServer*'
-    - '*Get-ChromeDump*'
-    - '*Get-ClipboardContents*'
-    - '*Get-FoxDump*'
-    - '*Get-IndexedItem*'
-    - '*Get-Screenshot*'
-    - '*Invoke-Inveigh*'
-    - '*Invoke-NetRipper*'
-    - '*Invoke-EgressCheck*'
-    - '*Invoke-PostExfil*'
-    - '*Invoke-PSInject*'
-    - '*Invoke-RunAs*'
-    - '*MailRaider*'
-    - '*New-HoneyHash*'
-    - '*Set-MacAttribute*'
-    - '*Invoke-DCSync*'
-    - '*Invoke-PowerDump*'
-    - '*Exploit-Jboss*'
-    - '*Invoke-ThunderStruck*'
-    - '*Invoke-VoiceTroll*'
-    - '*Set-Wallpaper*'
-    - '*Invoke-InveighRelay*'
-    - '*Invoke-PsExec*'
-    - '*Invoke-SSHCommand*'
-    - '*Get-SecurityPackages*'
-    - '*Install-SSP*'
-    - '*Invoke-BackdoorLNK*'
-    - '*PowerBreach*'
-    - '*Get-SiteListPassword*'
-    - '*Get-System*'
-    - '*Invoke-BypassUAC*'
-    - '*Invoke-Tater*'
-    - '*Invoke-WScriptBypassUAC*'
-    - '*PowerUp*'
-    - '*PowerView*'
-    - '*Get-RickAstley*'
-    - '*Find-Fruit*'
-    - '*HTTP-Login*'
-    - '*Find-TrustedDocuments*'
-    - '*Invoke-Paranoia*'
-    - '*Invoke-WinEnum*'
-    - '*Invoke-ARPScan*'
-    - '*Invoke-PortScan*'
-    - '*Invoke-ReverseDNSLookup*'
-    - '*Invoke-SMBScanner*'
-    - '*Invoke-Mimikittenz*'
-    - '*Invoke-AllChecks*'
-  SELECTION_2:
-    ScriptBlockText: '*Get-SystemDriveInfo*'
-  condition: (SELECTION_1 and  not (SELECTION_2))
-falsepositives:
-- Penetration testing
-id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
-level: high
-logsource:
-  category: ps_script
-  definition: Script Block Logging must be enable
-  product: windows
-modified: 2021/10/16
-references:
-- https://adsecurity.org/?p=2921
-status: experimental
-tags:
-- attack.execution
-- attack.t1059.001
-- attack.t1086
-ruletype: SIGMA