Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_malware_script_dropper.yml

@@ -0,0 +1,47 @@
+
+title: WScript or CScript Dropper
+ruletype: Sigma
+author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community
+date: 2019/01/16
+description: Detects wscript/cscript executions of scripts located in user directories
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\wscript.exe'
+    - '*\cscript.exe'
+  SELECTION_3:
+    CommandLine:
+    - '*C:\Users\\*'
+    - '*C:\ProgramData\\*'
+  SELECTION_4:
+    CommandLine:
+    - '*.jse*'
+    - '*.vbe*'
+    - '*.js*'
+    - '*.vba*'
+    - '*.vbs*'
+  SELECTION_5:
+    ParentImage: '*\winzip*'
+  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- Winzip
+- Other self-extractors
+fields:
+- CommandLine
+- ParentCommandLine
+id: cea72823-df4d-4567-950c-0b579eaf0846
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+status: test
+tags:
+- attack.execution
+- attack.t1059.005
+- attack.t1059.007
+- attack.defense_evasion
+- attack.t1064