Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_susp_explorer.yml

@@ -0,0 +1,33 @@
+
+title: Proxy Execution Via Explorer.exe
+ruletype: Sigma
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
+date: 2020/10/05
+description: Attackers can use explorer.exe for evading defense mechanisms
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image:
+    - '*\explorer.exe'
+  SELECTION_3:
+    ParentImage:
+    - '*\cmd.exe'
+  SELECTION_4:
+    CommandLine:
+    - '*explorer.exe*'
+  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
+falsepositives:
+- Legitimate explorer.exe run from cmd.exe
+id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
+level: low
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/27
+references:
+- https://twitter.com/CyberRaiju/status/1273597319322058752
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1218