1 ACCEPTED SOLUTION
Accepted Solutions
Please bare with me as I am a little new with NetWitness and these investigations. 
If I do a alias.host drill for huffingtonpost.com for the last 7 days, I see thousands of hits on that site but I only see this botnet alert for 1-3 users per day and their traffic is only 1-3 hits per user.
I am thinking with the type of site this is, that the users would be clicking on more than 1-3 links.
I did approach one of the users about this and apparently he did not know he was even going to this site. He showed me how he goes to aol.com for news but did not know that most of their news feed comes from huffington which you can clearly see once you click on the link and are routed to huffingtonpost.com.
In regards to your questions:
Are the queries out of business hours? no
Are they happening only when users turn their computers on in the morning? various times during the day
Is there other user initiated behavior going on during the times when the "beacons" appear? doesnt seem to be
Pivot on a source IP and step through a timeline to see if it looks like pattern-of-life behavior or pattern-of-malware. i notice 1-3 hits to the site and thats it but theres no apparent pattern for these alerts
Also, what are the queries? random things on huffington
Do they look like standard GET requests or are they POST methods with unusual base64 encoded strings? not sure. i am still a bit of a noob with this
Are your internal systems calling out to Huffington Post doing anything else unusual like trying to call out on unusual ports or protocols? doesnt look it
Thanks so much for your time.
I have seen quite a few huffington post hits (about 4 per day over the last week). They came up at normal times and triggered on/as botnet and botnet_bredolab threats. After some simple Google foo the conclusion that I drew was that it triggered on action=bot and was a false positive.
The reason I thought this is that I found articles like this
- http://www.securelist.com/en/analysis/204792152/End_of_the_Line_for_the_Bredolab_Botnet
that showed what the C&C traffic might look like. And the action=bot was present in that also also as "event_action=bottom_thumbnail_nav" in ONE of the GET requests in the session 
. Unfortunately it looks like the detection rule is not "anchored" on the ends (ie: it doesnt need to match 1 parameter).
On a related side question - is there any way in NW to go BACKWARDS to find what caused a rule to be triggered? EG: which domain/part of a request has resulted in NW thinking that it is an Advanced Persistent Threat would be great!
Fielder,
This is what we have. I did not set this up personally. This was set up when our PS rep came in a month ago.
