Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_powershell_downgrade_attack.yml

@@ -0,0 +1,41 @@
+
+title: PowerShell Downgrade Attack
+ruletype: Sigma
+author: Harish Segar (rule)
+date: 2020/03/20
+description: Detects PowerShell downgrade attack by comparing the host versions with
+  the actually used engine version 2.0
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -version 2 *'
+    - '* -versio 2 *'
+    - '* -versi 2 *'
+    - '* -vers 2 *'
+    - '* -ver 2 *'
+    - '* -ve 2 *'
+  SELECTION_3:
+    Image: '*\powershell.exe'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
+falsepositives:
+- Penetration Test
+- Unknown
+id: b3512211-c67e-4707-bedc-66efc7848863
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+related:
+- id: 6331d09b-4785-4c13-980f-f96661356249
+  type: derived
+status: test
+tags:
+- attack.defense_evasion
+- attack.execution
+- attack.t1086
+- attack.t1059.001