update create-process-suspended to include DEBUG_ONLY_THIS_PROCESS

[mike-hunhoff]

With the Debug Injection method, the ransomware first uses the function “CreateProcessW” with the “DEBUG_ONLY_THIS_PROCESS” creation flag. Creating the “Explorer.exe” process in this state allows the ransomware to suspend the process and modify its memory. This is when then ransomware calls “NtMapViewOfSection” to copy itself to the process and fix its relocations. Afterward, it calls “NtGetContextThread” to receive the thread context of the main thread for “Explorer.exe”. It then sets the instruction pointer (EIP) to the mapped ransomware’s selected entry point. “ContinueDebugEvent” is then called to continue the execution of “Explorer.exe” and the following call is to “DebugActiveProcessStop” which finally detaches the ransomware’s debugger from the process.

source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/

DEBUG_ONLY_THIS_PROCESS (0x00000002)
The calling thread starts and debugs the new process. It can receive all related debug events using the WaitForDebugEvent function.

[mike-hunhoff]

The source sample from my analysis is not public.

[williballenthin]

would you please add the documentation/reference links from this issue into the rule?