Revamp Yara memory/file scanning

[rabbitstack]

Description

Presently, the Yara scanner acts on process creation and image loading events to initiate the scan. For the former event types, the memory scan is performed on the child process. However, we can expand the scan capabilities to various other signals:

• created files
• loaded images, whether the image is an executable, DLL, or a driver
• memory allocations
• mappings of the section views
• registry binary type values

We could consider executing some of these scans concurrently. When the rule match is observed, the alert is sent via registered alert senders.