T1036.012 Browser Fingerprint Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownMalwareUA = dynamic([
  "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
  "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "MicrosoftEdgeUpdate.exe", "msedgewebview2.exe")
| where isnotempty(InitiatingProcessCommandLine)
| extend HasUserAgent = InitiatingProcessCommandLine has "User-Agent" or InitiatingProcessCommandLine has "useragent" or InitiatingProcessCommandLine has "-H \"Mozilla"
| where HasUserAgent
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl, AccountName
| sort by Timestamp desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software updaters that use HTTP with browser-like User-Agent strings (e.g., Windows Update, Adobe updaters, application auto-update mechanisms)
System administration tools like curl, wget, Invoke-WebRequest used in legitimate scripts that set custom User-Agent strings for API compatibility
Monitoring and health-check agents that use HTTP requests with User-Agent strings to verify web service availability
Development and testing tools (Postman, Selenium, Playwright) that set User-Agent headers as part of web application testing workflows

Splunk

spl

index=proxy OR index=web sourcetype="stream:http" OR sourcetype="bluecoat" OR sourcetype="squid"
| eval ua=lower(http_user_agent)
| eval process=lower(process_name)
| where isnotnull(ua) AND len(ua) > 10
| eval non_browser=if(NOT match(process, "^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari)"), 1, 0)
| where non_browser=1 OR isnull(process)
| eval outdated_browser=if(match(ua, "(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.)"), 1, 0)
| eval missing_fields=if(NOT match(ua, "mozilla/5\.0") AND match(ua, "^mozilla/"), 1, 0)
| eval known_malware_ua=if(match(ua, "(mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1|mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0)"), 1, 0)
| eval SuspicionScore=non_browser + outdated_browser + missing_fields + known_malware_ua
| where SuspicionScore > 0
| table _time, src_ip, dest_ip, dest_port, http_user_agent, uri_path, process_name, SuspicionScore
| sort - SuspicionScore - _time

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Proxy Logs Splunk Stream HTTP

Required Sourcetypes

stream:http

False Positives

Legitimate software updaters using HTTP with browser-like User-Agent strings
System administration scripts using curl/wget with custom User-Agent strings
Monitoring agents making health-check HTTP requests
Development and testing automation tools setting custom User-Agent headers

Elastic Security (EQL)

eql

sequence by host.id, process.entity_id
  [network where event.type == "start" and network.direction == "outbound" and
   not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "MicrosoftEdgeUpdate.exe", "msedgewebview2.exe", "safari", "chromium") and
   (
     process.args : ("*User-Agent*", "*useragent*", "-H \"Mozilla*") or
     process.command_line : ("*Mozilla/4.0*compatible*MSIE 7.0*Windows NT 5.1*",
                              "*Mozilla/5.0*compatible*MSIE 10.0*Trident/6.0*",
                              "*Firefox/40.1*",
                              "*User-Agent*", "*useragent*")
   )
  ]
  [network where event.type == "start" and network.direction == "outbound" and destination.address != null]

medium severity medium confidence

Data Sources

Endpoint (Elastic Agent with endpoint integration) Network packet capture (Packetbeat) Windows event logs via Winlogbeat

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* packetbeat-*

False Positives

Legitimate automation scripts (curl, wget, Python requests) that set custom User-Agent strings for API compatibility or web scraping testing
Security scanning tools (Nessus, Qualys, Burp Suite) that use custom or outdated UA strings during authorized assessments
Software update mechanisms or telemetry agents that embed hardcoded legacy User-Agent strings for compatibility with older endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  URL,
  "User-Agent" AS user_agent_header,
  LOGSOURCENAME(logsourceid) AS log_source,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN LOWER("User-Agent") MATCHES '.*mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1.*' THEN 3
    WHEN LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0.*' THEN 3
    WHEN LOWER("User-Agent") MATCHES '.*(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.).*' THEN 2
    WHEN NOT (LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*') AND LOWER("User-Agent") MATCHES '^mozilla/.*' THEN 2
    ELSE 1
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID IN (15, 18, 105, 352)
  AND starttime > NOW() - 86400000
  AND "User-Agent" IS NOT NULL
  AND LENGTH("User-Agent") > 10
  AND NOT (username IS NULL)
  AND NOT LOWER(devicetype) MATCHES '.*(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari).*'
  AND (
    LOWER("User-Agent") MATCHES '.*mozilla/4\.0.*compatible.*msie 7\.0.*'
    OR LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*compatible.*msie 10\.0.*trident.*'
    OR LOWER("User-Agent") MATCHES '.*(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.)\..*'
    OR (NOT LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*' AND LOWER("User-Agent") MATCHES '^mozilla/.*')
  )
ORDER BY suspicion_score DESC, starttime DESC

medium severity medium confidence

Data Sources

Web proxy logs (Squid, Blue Coat, Zscaler) HTTP flow data (QRadar network activity) Endpoint detection events with process-HTTP correlation

Required Tables

events (LOGSOURCETYPEID 15 = Apache, 18 = Squid, 105 = Blue Coat, 352 = Zscaler)

False Positives

Penetration testing tools (sqlmap, nikto, w3af) configured with legacy UA strings to test application behavior against older browser emulation
Enterprise web application testing frameworks that replay recorded HTTP sessions with original User-Agent strings from older capture sessions
Third-party monitoring or synthetic transaction agents that use hardcoded legacy UA strings to simulate browser behavior for uptime checks

Sumo Logic CSE

sql

_sourceCategory=proxy OR _sourceCategory=web/access OR _sourceCategory=network/http
| parse "\"*\"" as http_user_agent nodrop
| parse field=_raw "User-Agent: *\n" as http_user_agent nodrop
| where !isNull(http_user_agent) and length(http_user_agent) > 10
| parse field=_raw "process=*" as process_name nodrop
| parse field=_raw "cs-username=*" as username nodrop
| parse field=_raw "c-ip=*" as src_ip nodrop
| parse field=_raw "cs-uri-stem=*" as uri_path nodrop
| eval ua = toLowerCase(http_user_agent)
| eval process = toLowerCase(process_name)
| eval non_browser = if(!matches(process, "^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari)"), 1, 0)
| where non_browser = 1 or isNull(process_name)
| eval known_malware_ua = if(
    matches(ua, "mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1") or
    matches(ua, "mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0"),
    3, 0)
| eval outdated_browser = if(
    matches(ua, "(msie [5-9]\\.|firefox/[1-3][0-9]\\.|chrome/[1-5][0-9]\\.") ,
    2, 0)
| eval missing_fields = if(
    !matches(ua, "mozilla/5\.0") and matches(ua, "^mozilla/"),
    2, 0)
| eval SuspicionScore = known_malware_ua + outdated_browser + missing_fields + non_browser
| where SuspicionScore > 0
| fields _messageTime, src_ip, http_user_agent, uri_path, process_name, SuspicionScore
| sort by SuspicionScore, _messageTime desc
| count by src_ip, http_user_agent, SuspicionScore

medium severity medium confidence

Data Sources

Web proxy logs (Squid, Blue Coat, Zscaler, F5) Web server access logs (Apache, Nginx, IIS) Network metadata with HTTP inspection

Required Tables

_sourceCategory=proxy _sourceCategory=web/access _sourceCategory=network/http

False Positives

Custom HTTP client libraries (Java HttpClient, Python requests, Go net/http) that use default or customized User-Agent strings during legitimate API integrations
CI/CD pipeline tools or build agents making outbound HTTP calls with service-specific User-Agent strings that match legacy browser patterns
Headless browser automation for test suites (Selenium, Playwright in headless mode) that emit UA strings different from standard browser defaults

Google Chronicle / SecOps

yaral

rule browser_fingerprint_ua_spoofing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1036.012 Browser Fingerprint spoofing via known malware User-Agent strings or non-browser processes injecting UA headers"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.012"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.user_agent != ""

    // Match known malware UA strings documented in FatDuke and similar
    (
      re.regex($e.network.http.user_agent,
        `(?i)(Mozilla/4\.0 \(compatible; MSIE 7\.0; Windows NT 5\.1\)|Mozilla/5\.0 \(compatible; MSIE 10\.0; Windows NT 6\.1; Trident/6\.0\)|Mozilla/5\.0 \(Windows NT 6\.1; WOW64; rv:40\.0\) Gecko/20100101 Firefox/40\.1)`
      )
      OR
      // Non-browser process with explicit UA header injection
      (
        not re.regex($e.principal.process.file.full_path,
          `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|safari)`
        )
        AND
        re.regex($e.principal.process.command_line,
          `(?i)(User-Agent|useragent|-H\s+"Mozilla)`
        )
      )
      OR
      // Outdated browser UA strings from non-browser processes
      (
        not re.regex($e.principal.process.file.full_path,
          `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|safari)`
        )
        AND
        re.regex($e.network.http.user_agent,
          `(?i)(MSIE [5-9]\.|Firefox/[1-3][0-9]\.|Chrome/[1-5][0-9]\.)`
        )
      )
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) network events Web proxy/gateway logs ingested into Chronicle Endpoint telemetry with process-network correlation via Chronicle Endpoint agent

Required Tables

NETWORK_HTTP UDM events Chronicle Endpoint Detection events

False Positives

Automated infrastructure monitoring tools (Nagios, Zabbix HTTP checks) that use wget or curl with custom UA strings to validate web service availability
Software deployment agents (SCCM, Ansible, Chef) making HTTP calls with tool-specific User-Agent strings that may match legacy browser patterns
Threat intelligence platforms or SOAR tools performing automated IOC lookups that send HTTP requests with non-standard UA strings

CrowdStrike LogScale (CQL)

cql

// T1036.012 - Browser Fingerprint Spoofing Detection
// Detect non-browser processes injecting User-Agent headers or using known malware UA strings

#event_simpleName = NetworkConnectIP4 OR #event_simpleName = ProcessRollup2

// Filter for non-browser initiating processes
| NOT ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|MicrosoftEdgeUpdate\.exe|msedgewebview2\.exe|safari)$/

// Match known malware UA strings or UA injection patterns in command line
| CommandLine = /(?i)(User-Agent|useragent|-H\s+"Mozilla|Mozilla\/4\.0.*compatible.*MSIE 7\.0.*Windows NT 5\.1|Mozilla\/5\.0.*compatible.*MSIE 10\.0.*Trident\/6\.0|Firefox\/40\.1)/

// Score the suspicion level
| SuspicionScore := if(
    CommandLine = /(?i)(Mozilla\/4\.0.*compatible.*MSIE 7\.0.*Windows NT 5\.1|Mozilla\/5\.0.*compatible.*MSIE 10\.0.*Trident\/6\.0)/,
    3,
    if(CommandLine = /(?i)(MSIE [5-9]\.|Firefox\/[1-3][0-9]\.|Chrome\/[1-5][0-9]\.)/,
      2,
      1
    )
  )

| where SuspicionScore > 0

| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort, SuspicionScore],
    function=[
      count(as=EventCount),
      min(timestamp, as=FirstSeen),
      max(timestamp, as=LastSeen)
    ]
  )

| sort(SuspicionScore, order=desc)
| table([ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort, SuspicionScore, EventCount, FirstSeen, LastSeen])

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint sensor (ProcessRollup2) CrowdStrike Falcon network events (NetworkConnectIP4, DnsRequest) Falcon Data Replicator (FDR) event stream

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

Red team or penetration testing tools (Cobalt Strike, Metasploit, Empire) that mimic browser UA strings as part of authorized C2 channel setup — distinguish via authorized engagement windows
Legitimate DevOps scripts using curl or Invoke-WebRequest with -UserAgent flags for REST API authentication or web scraping pipelines
Patch management or asset inventory agents (Tanium, BigFix) that embed specific UA strings to identify themselves to internal proxy allowlists

Browser Fingerprint

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections