Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_html_help_spawn.yml

@@ -0,0 +1,48 @@
+
+title: HTML Help Shell Spawn
+ruletype: Sigma
+author: Maxim Pavlunin
+date: 2020/04/01
+description: Detects a suspicious child process of a Microsoft HTML Help system when
+  executing compiled HTML files (.chm)
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    ParentImage: C:\Windows\hh.exe
+  SELECTION_3:
+    Image:
+    - '*\cmd.exe'
+    - '*\powershell.exe'
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+    - '*\regsvr32.exe'
+    - '*\wmic.exe'
+    - '*\rundll32.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- unknown
+fields:
+- CommandLine
+- ParentCommandLine
+id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1218.001
+- attack.t1218.010
+- attack.t1218.011
+- attack.execution
+- attack.t1223
+- attack.t1059.001
+- attack.t1059.003
+- attack.t1059.005
+- attack.t1059.007
+- attack.t1047