Add more Mimikatz detection, focusing on token::elevate as a non-admin user

[joswr1ght]

This PR adds another Mimikatz detect. Instead of relying on multiple-privilege-use thresholding (which may evade detection for single-run Mimikatz hashdump use), this detect matches on the specific privileges requested by Mimikatz when running token::elevate:

C:\tools>mimikatz

  .#####.   mimikatz 2.2.0 (x64) #17763 Apr 28 2019 22:07:59
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

548     {0;000003e7} 1 D 43678          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;000198d6} 1 F 2964970     DESKTOP-JR78RLP\jwrig   S-1-5-21-979008924-657238111-836329461-1002
(15g,23p)       Primary
 * Thread Token  : {0;000003e7} 1 D 3021845     NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

This action will produce an Event ID 4672 message with the following characteristics:

Special privileges assigned to new logon.

Subject:
    Security ID:        SYSTEM
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3E7

Privileges:     SeAssignPrimaryTokenPrivilege
            SeTcbPrivilege
            SeSecurityPrivilege
            SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeDebugPrivilege
            SeAuditPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
            SeDelegateSessionUserImpersonatePrivilege

This rule matches on all of the privileges. This pattern matches all known Mimikatz 2.X releases.

YEET!