Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/builtin/security/win_remote_powershell_session.yml

@@ -0,0 +1,32 @@
+
+title: Remote PowerShell Sessions Network Connections (WinRM)
+ruletype: Sigma
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/09/12
+description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound
+  connections to ports 5985 OR 5986
+detection:
+  SELECTION_1:
+    EventID: 5156
+  SELECTION_2:
+    DestPort: 5985
+  SELECTION_3:
+    DestPort: 5986
+  SELECTION_4:
+    LayerRTID: 44
+  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3) and SELECTION_4)
+falsepositives:
+- Legitimate use of remote PowerShell execution
+id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
+level: high
+logsource:
+  product: windows
+  service: security
+modified: 2021/05/21
+references:
+- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+status: experimental
+tags:
+- attack.execution
+- attack.t1086
+- attack.t1059.001