Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml

@@ -0,0 +1,42 @@
+
+title: Malware Shellcode in Verclsid Target Process
+ruletype: Sigma
+author: John Lambert (tech), Florian Roth (rule)
+date: 2017/03/04
+description: Detects a process access to verclsid.exe that injects shellcode from
+  a Microsoft Office application / VBA macro
+detection:
+  SELECTION_1:
+    EventID: 10
+  SELECTION_2:
+    TargetImage: '*\verclsid.exe'
+  SELECTION_3:
+    GrantedAccess: '0x1FFFFF'
+  SELECTION_4:
+    CallTrace: '*|UNKNOWN(*'
+  SELECTION_5:
+    CallTrace: '*VBE7.DLL*'
+  SELECTION_6:
+    SourceImage: '*\Microsoft Office\\*'
+  SELECTION_7:
+    CallTrace: '*|UNKNOWN*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
+    SELECTION_5) or (SELECTION_6 and SELECTION_7)))
+falsepositives:
+- unknown
+id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
+level: high
+logsource:
+  category: process_access
+  definition: 'Use the following config to generate the necessary Event ID 10 Process
+    Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
+    onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/JohnLaTwC/status/837743453039534080
+status: test
+tags:
+- attack.defense_evasion
+- attack.privilege_escalation
+- attack.t1055