Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/process_creation_certoc_execution.yml

@@ -0,0 +1,33 @@
+
+title: Suspicious Load DLL via CertOC.exe
+ruletype: Sigma
+author: Austin Songer @austinsonger
+date: 2021/10/23
+description: Detects when a user installs certificates by using CertOC.exe to loads
+  the target DLL file.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\certoc.exe'
+  SELECTION_3:
+    CommandLine: '*-LoadDLL*'
+  SELECTION_4:
+    CommandLine: '*.dll*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- None
+fields:
+- CommandLine
+- ParentCommandLine
+id: 242301bc-f92f-4476-8718-78004a6efd9f
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+references:
+- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1218