feat(rules): New LSASS process clone creation via reflection rule

rules/credential_access_lsass_process_clone_creation_via_reflection.yml

@@ -0,0 +1,31 @@
+name: LSASS process clone creation via reflection
+id: cdf3810a-4832-446a-ac9d-d108cf2e313c
+version: 1.0.0
+description: |
+  Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
+  Adversaries can use this technique to dump credentials material from the LSASS fork and evade
+  defenses.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
+  technique.name: OS Credential Dumping
+  technique.ref: https://attack.mitre.org/techniques/T1003/
+  subtechnique.id: T1003.001
+  subtechnique.name: LSASS Memory
+  subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
+references:
+  - https://github.com/Offensive-Panda/LsassReflectDumping
+  - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
+
+condition: >
+  spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe'
+    and
+  thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 2.2.0