chore(rules): Consider DUP_HANDLE access right

Certain tools tend to duplicate the lsass process
token and then initiate the minidump creation.

Author: rabbitstack

rules/credential_access_lsass_memory_dumping.yml

@@ -23,7 +23,7 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ')
+    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
       and
      kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and