T1036.012 Splunk · SPL

Detect Browser Fingerprint in Splunk

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.012 Browser Fingerprint
Canonical reference
https://attack.mitre.org/techniques/T1036/012/

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=web sourcetype="stream:http" OR sourcetype="bluecoat" OR sourcetype="squid"
| eval ua=lower(http_user_agent)
| eval process=lower(process_name)
| where isnotnull(ua) AND len(ua) > 10
| eval non_browser=if(NOT match(process, "^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari)"), 1, 0)
| where non_browser=1 OR isnull(process)
| eval outdated_browser=if(match(ua, "(msie [5-9]\.|firefox/[1-3][0-9]\.|chrome/[1-5][0-9]\.)"), 1, 0)
| eval missing_fields=if(NOT match(ua, "mozilla/5\.0") AND match(ua, "^mozilla/"), 1, 0)
| eval known_malware_ua=if(match(ua, "(mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1|mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0)"), 1, 0)
| eval SuspicionScore=non_browser + outdated_browser + missing_fields + known_malware_ua
| where SuspicionScore > 0
| table _time, src_ip, dest_ip, dest_port, http_user_agent, uri_path, process_name, SuspicionScore
| sort - SuspicionScore - _time
medium severity low confidence

Detects browser fingerprint spoofing by analyzing HTTP User-Agent strings from proxy and web traffic logs. Identifies non-browser processes making HTTP requests with browser-like User-Agent strings, outdated browser version strings commonly used by older malware families, and known malicious User-Agent patterns. Uses proxy/web logs (Bluecoat, Squid, Splunk Stream) to capture the actual HTTP User-Agent header rather than relying on process-level telemetry alone.

Data Sources

Network Traffic: Network Traffic ContentProxy LogsSplunk Stream HTTP

Required Sourcetypes

stream:http

False Positives & Tuning

  • Legitimate software updaters using HTTP with browser-like User-Agent strings
  • System administration scripts using curl/wget with custom User-Agent strings
  • Monitoring agents making health-check HTTP requests
  • Development and testing automation tools setting custom User-Agent headers
Download portable Sigma rule (.yml)

Other platforms for T1036.012

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP Request with Spoofed Browser User-Agent via curl

    Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.

  2. Test 2PowerShell HTTP Request with Spoofed User-Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.

  3. Test 3Python HTTP Request Mimicking Browser Fingerprint

    Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process Arguments

Related Techniques

T1036MasqueradingT1071.001Web ProtocolsT1571Non-Standard PortT1573Encrypted ChannelT1082System Information DiscoveryT1132Data EncodingT1001Data Obfuscation

Same Tactic: Defense Evasion

Popular Detections