Feature/rm submodule (#312)

* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a

rules/sigma/process_creation/win_xsl_script_processing.yml

@@ -0,0 +1,48 @@
+
+title: XSL Script Processing
+ruletype: Sigma
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+description: Extensible Stylesheet Language (XSL) files are commonly used to describe
+  the processing and rendering of data within XML files. Rule detects when adversaries
+  abuse this functionality to execute arbitrary files while potentially bypassing
+  application whitelisting defenses.
+detection:
+  SELECTION_1:
+    EventID: 1
+  SELECTION_2:
+    Image: '*\wmic.exe'
+  SELECTION_3:
+    CommandLine: '*/format*'
+  SELECTION_4:
+    Image: '*\msxsl.exe'
+  SELECTION_5:
+    CommandLine:
+    - '*/Format:List*'
+    - '*/Format:htable*'
+    - '*/Format:hform*'
+    - '*/Format:table*'
+    - '*/Format:mof*'
+    - '*/Format:value*'
+    - '*/Format:rawxml*'
+    - '*/Format:xml*'
+    - '*/Format:csv*'
+  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or SELECTION_4) and  not
+    (SELECTION_5))
+falsepositives:
+- WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
+- msxsl.exe is not installed by default, so unlikely.
+- Static format arguments - https://petri.com/command-line-wmi-part-3
+id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
+level: medium
+logsource:
+  category: process_creation
+  product: windows
+modified: 2021/11/29
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
+status: test
+tags:
+- attack.defense_evasion
+- attack.t1220
+- attack.execution