Detect Browser Fingerprint in IBM QRadar
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.012 Browser Fingerprint
- Canonical reference
- https://attack.mitre.org/techniques/T1036/012/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
URL,
"User-Agent" AS user_agent_header,
LOGSOURCENAME(logsourceid) AS log_source,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS event_category,
CASE
WHEN LOWER("User-Agent") MATCHES '.*mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1.*' THEN 3
WHEN LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0.*' THEN 3
WHEN LOWER("User-Agent") MATCHES '.*(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.).*' THEN 2
WHEN NOT (LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*') AND LOWER("User-Agent") MATCHES '^mozilla/.*' THEN 2
ELSE 1
END AS suspicion_score
FROM events
WHERE
LOGSOURCETYPEID IN (15, 18, 105, 352)
AND starttime > NOW() - 86400000
AND "User-Agent" IS NOT NULL
AND LENGTH("User-Agent") > 10
AND NOT (username IS NULL)
AND NOT LOWER(devicetype) MATCHES '.*(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari).*'
AND (
LOWER("User-Agent") MATCHES '.*mozilla/4\.0.*compatible.*msie 7\.0.*'
OR LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*compatible.*msie 10\.0.*trident.*'
OR LOWER("User-Agent") MATCHES '.*(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.)\..*'
OR (NOT LOWER("User-Agent") MATCHES '.*mozilla/5\.0.*' AND LOWER("User-Agent") MATCHES '^mozilla/.*')
)
ORDER BY suspicion_score DESC, starttime DESCAQL query for IBM QRadar that detects browser fingerprint spoofing by correlating HTTP proxy/web log sources for known malware User-Agent strings, outdated browser versions used by non-browser processes, and malformed Mozilla version strings indicative of UA crafting.
Data Sources
Required Tables
False Positives & Tuning
- Penetration testing tools (sqlmap, nikto, w3af) configured with legacy UA strings to test application behavior against older browser emulation
- Enterprise web application testing frameworks that replay recorded HTTP sessions with original User-Agent strings from older capture sessions
- Third-party monitoring or synthetic transaction agents that use hardcoded legacy UA strings to simulate browser behavior for uptime checks
Other platforms for T1036.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Request with Spoofed Browser User-Agent via curl
Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.
- Test 2PowerShell HTTP Request with Spoofed User-Agent
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.
- Test 3Python HTTP Request Mimicking Browser Fingerprint
Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.
References (7)
- https://attack.mitre.org/techniques/T1036/012/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent
- https://arxiv.org/pdf/2110.10129
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.