Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml

@@ -0,0 +1,52 @@
+
+title: Abused Debug Privilege by Arbitrary Parent Processes
+ruletype: Sigma
+author: Semanur Guneysu @semanurtg, oscd.community
+date: 2020/10/28
+description: Detection of unusual child processes by different system processes
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage:
+    - '*\winlogon.exe'
+    - '*\services.exe'
+    - '*\lsass.exe'
+    - '*\csrss.exe'
+    - '*\smss.exe'
+    - '*\wininit.exe'
+    - '*\spoolsv.exe'
+    - '*\searchindexer.exe'
+  SELECTION_3:
+    Image:
+    - '*\powershell.exe'
+    - '*\cmd.exe'
+  SELECTION_4:
+    User:
+    - NT AUTHORITY\SYSTEM*
+    - AUTORITE NT\Sys*
+  SELECTION_5:
+    CommandLine: '* route *'
+  SELECTION_6:
+    CommandLine: '* ADD *'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5 and SELECTION_6))
+falsepositives:
+- unknown
+fields:
+- ParentImage
+- Image
+- User
+- CommandLine
+id: d522eca2-2973-4391-a3e0-ef0374321dae
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
+status: test
+tags:
+- attack.privilege_escalation
+- attack.t1548