Detect Browser Fingerprint in CrowdStrike LogScale
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.012 Browser Fingerprint
- Canonical reference
- https://attack.mitre.org/techniques/T1036/012/
LogScale Detection Query
// T1036.012 - Browser Fingerprint Spoofing Detection
// Detect non-browser processes injecting User-Agent headers or using known malware UA strings
#event_simpleName = NetworkConnectIP4 OR #event_simpleName = ProcessRollup2
// Filter for non-browser initiating processes
| NOT ImageFileName = /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|vivaldi\.exe|MicrosoftEdgeUpdate\.exe|msedgewebview2\.exe|safari)$/
// Match known malware UA strings or UA injection patterns in command line
| CommandLine = /(?i)(User-Agent|useragent|-H\s+"Mozilla|Mozilla\/4\.0.*compatible.*MSIE 7\.0.*Windows NT 5\.1|Mozilla\/5\.0.*compatible.*MSIE 10\.0.*Trident\/6\.0|Firefox\/40\.1)/
// Score the suspicion level
| SuspicionScore := if(
CommandLine = /(?i)(Mozilla\/4\.0.*compatible.*MSIE 7\.0.*Windows NT 5\.1|Mozilla\/5\.0.*compatible.*MSIE 10\.0.*Trident\/6\.0)/,
3,
if(CommandLine = /(?i)(MSIE [5-9]\.|Firefox\/[1-3][0-9]\.|Chrome\/[1-5][0-9]\.)/,
2,
1
)
)
| where SuspicionScore > 0
| groupBy(
[ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort, SuspicionScore],
function=[
count(as=EventCount),
min(timestamp, as=FirstSeen),
max(timestamp, as=LastSeen)
]
)
| sort(SuspicionScore, order=desc)
| table([ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort, SuspicionScore, EventCount, FirstSeen, LastSeen])CrowdStrike LogScale (Falcon) query detecting T1036.012 browser fingerprint spoofing. Correlates ProcessRollup2 and NetworkConnectIP4 events to identify non-browser processes using command-line arguments that inject known malware UA strings or explicitly set User-Agent headers in outbound HTTP requests.
Data Sources
Required Tables
False Positives & Tuning
- Red team or penetration testing tools (Cobalt Strike, Metasploit, Empire) that mimic browser UA strings as part of authorized C2 channel setup — distinguish via authorized engagement windows
- Legitimate DevOps scripts using curl or Invoke-WebRequest with -UserAgent flags for REST API authentication or web scraping pipelines
- Patch management or asset inventory agents (Tanium, BigFix) that embed specific UA strings to identify themselves to internal proxy allowlists
Other platforms for T1036.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Request with Spoofed Browser User-Agent via curl
Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.
- Test 2PowerShell HTTP Request with Spoofed User-Agent
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.
- Test 3Python HTTP Request Mimicking Browser Fingerprint
Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.
References (7)
- https://attack.mitre.org/techniques/T1036/012/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent
- https://arxiv.org/pdf/2110.10129
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.