Update RootA_Specification.md

Author: UncoderIO

RootA_Specification.md

@@ -50,10 +50,9 @@ date: 2020-05-24
 mitre-attack:
     - t1003.001
     - t1136.003
-timeline:     # for Actors and campaigns only
-    2022-04-01 - 2022-08-08: Bumblebee
-    2022-07-27: KNOTWEED
-    2022-12-04: UAC-0082, CERT-UA#4435
+detection:
+    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
+    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
 logsource:
     product: Windows                # Sigma or OCSF products
     log_name: Security              # OCSF log names
@@ -63,9 +62,10 @@ logsource:
     audit:
         source: Windows Security Event Log 
         enable: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process
-detection:
-    language: splunk-spl-query # elastic-lucene-query, logscale-lql-query, mde-kql-query
-    body: index=* ((((process="*comsvcs*") AND (process="*MiniDump*")) OR ((process="*comsvcs*") AND (process="*#24*"))) OR ((process="*comsvcs*") AND (process="*full*")))
+timeline:     # for Actors and campaigns only
+    2022-04-01 - 2022-08-08: Bumblebee
+    2022-07-27: KNOTWEED
+    2022-12-04: UAC-0082, CERT-UA#4435
 references: 
     - https://badoption.eu/blog/2023/06/21/dumpit.html
 tags: Bumblebee, UAC-0082, CERT-UA#4435, KNOTWEED, Comsvcs, cir_ttps, ContentlistEndpoint