separate rules to submodule (#304)

* rm: rules

* Add: hayabusa-rules to submodule

rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml

@@ -1,51 +0,0 @@
-
-title: Abused Debug Privilege by Arbitrary Parent Processes
-author: Semanur Guneysu @semanurtg, oscd.community
-date: 2020/10/28
-description: Detection of unusual child processes by different system processes
-detection:
-  SELECTION_1:
-    EventID: 1
-  SELECTION_2:
-    ParentImage:
-    - '*\winlogon.exe'
-    - '*\services.exe'
-    - '*\lsass.exe'
-    - '*\csrss.exe'
-    - '*\smss.exe'
-    - '*\wininit.exe'
-    - '*\spoolsv.exe'
-    - '*\searchindexer.exe'
-  SELECTION_3:
-    Image:
-    - '*\powershell.exe'
-    - '*\cmd.exe'
-  SELECTION_4:
-    User:
-    - NT AUTHORITY\SYSTEM*
-    - AUTORITE NT\Sys*
-  SELECTION_5:
-    CommandLine: '* route *'
-  SELECTION_6:
-    CommandLine: '* ADD *'
-  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
-    (SELECTION_5 and SELECTION_6))
-falsepositives:
-- unknown
-fields:
-- ParentImage
-- Image
-- User
-- CommandLine
-id: d522eca2-2973-4391-a3e0-ef0374321dae
-level: high
-logsource:
-  category: process_creation
-  product: windows
-references:
-- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
-status: experimental
-tags:
-- attack.privilege_escalation
-- attack.t1548
-ruletype: SIGMA