T1036.012 Elastic Security · Elastic

Detect Browser Fingerprint in Elastic Security

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.012 Browser Fingerprint
Canonical reference
https://attack.mitre.org/techniques/T1036/012/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id, process.entity_id
  [network where event.type == "start" and network.direction == "outbound" and
   not process.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "MicrosoftEdgeUpdate.exe", "msedgewebview2.exe", "safari", "chromium") and
   (
     process.args : ("*User-Agent*", "*useragent*", "-H \"Mozilla*") or
     process.command_line : ("*Mozilla/4.0*compatible*MSIE 7.0*Windows NT 5.1*",
                              "*Mozilla/5.0*compatible*MSIE 10.0*Trident/6.0*",
                              "*Firefox/40.1*",
                              "*User-Agent*", "*useragent*")
   )
  ]
  [network where event.type == "start" and network.direction == "outbound" and destination.address != null]
medium severity medium confidence

Detects non-browser processes injecting spoofed or known-malware User-Agent strings into HTTP requests. Covers FatDuke-style UA mimicry and explicit User-Agent header injection via command-line arguments in tools like curl, PowerShell, or Python.

Data Sources

Endpoint (Elastic Agent with endpoint integration)Network packet capture (Packetbeat)Windows event logs via Winlogbeat

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.process-*packetbeat-*

False Positives & Tuning

  • Legitimate automation scripts (curl, wget, Python requests) that set custom User-Agent strings for API compatibility or web scraping testing
  • Security scanning tools (Nessus, Qualys, Burp Suite) that use custom or outdated UA strings during authorized assessments
  • Software update mechanisms or telemetry agents that embed hardcoded legacy User-Agent strings for compatibility with older endpoints
Download portable Sigma rule (.yml)

Other platforms for T1036.012

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP Request with Spoofed Browser User-Agent via curl

    Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.

  2. Test 2PowerShell HTTP Request with Spoofed User-Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.

  3. Test 3Python HTTP Request Mimicking Browser Fingerprint

    Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process Arguments

Related Techniques

T1036MasqueradingT1071.001Web ProtocolsT1571Non-Standard PortT1573Encrypted ChannelT1082System Information DiscoveryT1132Data EncodingT1001Data Obfuscation

Same Tactic: Defense Evasion

Popular Detections