Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_susp_certutil_command.yml

@@ -0,0 +1,61 @@
+
+title: Suspicious Certutil Command
+ruletype: Sigma
+author: Florian Roth, juju4, keepwatch
+date: 2019/01/16
+description: Detects a suspicious Microsoft certutil execution with sub commands like
+  'decode' sub command, which is sometimes used to decode malicious code with the
+  built-in certutil utility
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    CommandLine:
+    - '* -decode *'
+    - '* -decodehex *'
+    - '* -urlcache *'
+    - '* -verifyctl *'
+    - '* -encode *'
+    - '* /decode *'
+    - '* /decodehex *'
+    - '* /urlcache *'
+    - '* /verifyctl *'
+    - '* /encode *'
+  SELECTION_3:
+    Image: '*\certutil.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*URL*'
+    - '*ping*'
+  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
+falsepositives:
+- False positives depend on scripts and administrative tools used in the monitored
+  environment
+fields:
+- CommandLine
+- ParentCommandLine
+id: e011a729-98a6-4139-b5c4-bf6f6dd8239a
+level: high
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/04/23
+references:
+- https://twitter.com/JohnLaTwC/status/835149808817991680
+- https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
+- https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
+- https://twitter.com/egre55/status/1087685529016193025
+- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1140
+- attack.command_and_control
+- attack.t1105
+- attack.s0160
+- attack.g0007
+- attack.g0010
+- attack.g0045
+- attack.g0049
+- attack.g0075
+- attack.g0096