T1036.012 Microsoft Sentinel · KQL

Detect Browser Fingerprint in Microsoft Sentinel

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.012 Browser Fingerprint
Canonical reference
https://attack.mitre.org/techniques/T1036/012/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownMalwareUA = dynamic([
  "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)",
  "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
  "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "MicrosoftEdgeUpdate.exe", "msedgewebview2.exe")
| where isnotempty(InitiatingProcessCommandLine)
| extend HasUserAgent = InitiatingProcessCommandLine has "User-Agent" or InitiatingProcessCommandLine has "useragent" or InitiatingProcessCommandLine has "-H \"Mozilla"
| where HasUserAgent
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl, AccountName
| sort by Timestamp desc
medium severity low confidence

Detects non-browser processes making HTTP requests with explicit User-Agent strings, which may indicate C2 malware or tools spoofing browser fingerprints to blend with legitimate traffic. Excludes known browser executables and focuses on processes like PowerShell, cmd, rundll32, or custom binaries that explicitly set User-Agent headers in their command lines. Also maintains a list of known malware User-Agent strings for direct matching.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Legitimate software updaters that use HTTP with browser-like User-Agent strings (e.g., Windows Update, Adobe updaters, application auto-update mechanisms)
  • System administration tools like curl, wget, Invoke-WebRequest used in legitimate scripts that set custom User-Agent strings for API compatibility
  • Monitoring and health-check agents that use HTTP requests with User-Agent strings to verify web service availability
  • Development and testing tools (Postman, Selenium, Playwright) that set User-Agent headers as part of web application testing workflows
Download portable Sigma rule (.yml)

Other platforms for T1036.012

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP Request with Spoofed Browser User-Agent via curl

    Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.

  2. Test 2PowerShell HTTP Request with Spoofed User-Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.

  3. Test 3Python HTTP Request Mimicking Browser Fingerprint

    Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process Arguments

Related Techniques

T1036MasqueradingT1071.001Web ProtocolsT1571Non-Standard PortT1573Encrypted ChannelT1082System Information DiscoveryT1132Data EncodingT1001Data Obfuscation

Same Tactic: Defense Evasion

Popular Detections