create Restart Manager session

rule:
  meta:
    name: create Restart Manager session
    namespace: host-interaction/process
    authors:
      - michael.hunhoff@mandiant.com
    description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware
    scopes:
      static: function
      dynamic: call
    references:
      - https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
  features:
    - or:
      - api: rstrtmgr.RmStartSession