Detect Browser Fingerprint in Google Chronicle
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.012 Browser Fingerprint
- Canonical reference
- https://attack.mitre.org/techniques/T1036/012/
YARA-L Detection Query
rule browser_fingerprint_ua_spoofing {
meta:
author = "Argus Detection Engineering"
description = "Detects T1036.012 Browser Fingerprint spoofing via known malware User-Agent strings or non-browser processes injecting UA headers"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1036.012"
severity = "MEDIUM"
confidence = "MEDIUM"
version = "1.0"
created = "2026-04-16"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.user_agent != ""
// Match known malware UA strings documented in FatDuke and similar
(
re.regex($e.network.http.user_agent,
`(?i)(Mozilla/4\.0 \(compatible; MSIE 7\.0; Windows NT 5\.1\)|Mozilla/5\.0 \(compatible; MSIE 10\.0; Windows NT 6\.1; Trident/6\.0\)|Mozilla/5\.0 \(Windows NT 6\.1; WOW64; rv:40\.0\) Gecko/20100101 Firefox/40\.1)`
)
OR
// Non-browser process with explicit UA header injection
(
not re.regex($e.principal.process.file.full_path,
`(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|safari)`
)
AND
re.regex($e.principal.process.command_line,
`(?i)(User-Agent|useragent|-H\s+"Mozilla)`
)
)
OR
// Outdated browser UA strings from non-browser processes
(
not re.regex($e.principal.process.file.full_path,
`(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|safari)`
)
AND
re.regex($e.network.http.user_agent,
`(?i)(MSIE [5-9]\.|Firefox/[1-3][0-9]\.|Chrome/[1-5][0-9]\.)`
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1036.012 Browser Fingerprint spoofing. Matches known FatDuke malware User-Agent strings, non-browser processes injecting UA headers via command-line, and outdated browser UA strings emitted by non-browser processes over HTTP.
Data Sources
Required Tables
False Positives & Tuning
- Automated infrastructure monitoring tools (Nagios, Zabbix HTTP checks) that use wget or curl with custom UA strings to validate web service availability
- Software deployment agents (SCCM, Ansible, Chef) making HTTP calls with tool-specific User-Agent strings that may match legacy browser patterns
- Threat intelligence platforms or SOAR tools performing automated IOC lookups that send HTTP requests with non-standard UA strings
Other platforms for T1036.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Request with Spoofed Browser User-Agent via curl
Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.
- Test 2PowerShell HTTP Request with Spoofed User-Agent
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.
- Test 3Python HTTP Request Mimicking Browser Fingerprint
Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.
References (7)
- https://attack.mitre.org/techniques/T1036/012/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent
- https://arxiv.org/pdf/2110.10129
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.