Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/other/ntlm/win_susp_ntlm_auth.yml

@@ -0,0 +1,30 @@
+
+title: NTLM Logon
+ruletype: Sigma
+author: Florian Roth
+date: 2018/06/08
+description: Detects logons using NTLM, which could be caused by a legacy source or
+  attackers
+detection:
+  SELECTION_1:
+    EventID: 8002
+  SELECTION_2:
+    ProcessName: '*'
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Legacy hosts
+id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b
+level: low
+logsource:
+  definition: Requires events from Microsoft-Windows-NTLM/Operational
+  product: windows
+  service: ntlm
+modified: 2021/11/20
+references:
+- https://twitter.com/JohnLaTwC/status/1004895028995477505
+- https://goo.gl/PsqrhT
+status: experimental
+tags:
+- attack.lateral_movement
+- attack.t1075
+- attack.t1550.002

rules/sigma/other/ntlm/win_susp_ntlm_rdp.yml

@@ -0,0 +1,35 @@
+
+title: Potential Remote Desktop Connection to Non-Domain Host
+ruletype: Sigma
+author: James Pemberton
+date: 2020/05/22
+description: Detects logons using NTLM to hosts that are potentially not part of the
+  domain.
+detection:
+  SELECTION_1:
+    EventID: 8001
+  SELECTION_2:
+    TargetName: TERMSRV*
+  condition: (SELECTION_1 and SELECTION_2)
+falsepositives:
+- Host connections to valid domains, exclude these.
+- Host connections not using host FQDN.
+- Host connections to external legitimate domains.
+fields:
+- Computer
+- UserName
+- DomainName
+- TargetName
+id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
+level: medium
+logsource:
+  definition: Requires events from Microsoft-Windows-NTLM/Operational
+  product: windows
+  service: ntlm
+modified: 2021/11/27
+references:
+- n/a
+status: test
+tags:
+- attack.command_and_control
+- attack.t1219