Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/create_stream_hash/sysmon_ads_executable.yml

@@ -0,0 +1,35 @@
+
+title: Executable in ADS
+ruletype: Sigma
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+description: Detects the creation of an ADS data stream that contains an executable
+  (non-empty imphash)
+detection:
+  SELECTION_1:
+    EventID: 15
+  SELECTION_2:
+    Hashes: '*IMPHASH=*'
+  SELECTION_3:
+    Hashes: '*IMPHASH=00000000000000000000000000000000*'
+  condition: (SELECTION_1 and SELECTION_2 and  not (SELECTION_3))
+falsepositives:
+- unknown
+fields:
+- TargetFilename
+- Image
+id: b69888d4-380c-45ce-9cf9-d9ce46e67821
+level: critical
+logsource:
+  category: create_stream_hash
+  definition: 'Requirements: Sysmon config with Imphash logging activated'
+  product: windows
+modified: 2021/12/08
+references:
+- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1027
+- attack.s0139
+- attack.t1564.004