Detect Browser Fingerprint in Sumo Logic CSE
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.012 Browser Fingerprint
- Canonical reference
- https://attack.mitre.org/techniques/T1036/012/
Sumo Detection Query
_sourceCategory=proxy OR _sourceCategory=web/access OR _sourceCategory=network/http
| parse "\"*\"" as http_user_agent nodrop
| parse field=_raw "User-Agent: *\n" as http_user_agent nodrop
| where !isNull(http_user_agent) and length(http_user_agent) > 10
| parse field=_raw "process=*" as process_name nodrop
| parse field=_raw "cs-username=*" as username nodrop
| parse field=_raw "c-ip=*" as src_ip nodrop
| parse field=_raw "cs-uri-stem=*" as uri_path nodrop
| eval ua = toLowerCase(http_user_agent)
| eval process = toLowerCase(process_name)
| eval non_browser = if(!matches(process, "^(chrome|msedge|firefox|iexplore|opera|brave|vivaldi|safari)"), 1, 0)
| where non_browser = 1 or isNull(process_name)
| eval known_malware_ua = if(
matches(ua, "mozilla/4\.0.*compatible.*msie 7\.0.*windows nt 5\.1") or
matches(ua, "mozilla/5\.0.*compatible.*msie 10\.0.*trident/6\.0"),
3, 0)
| eval outdated_browser = if(
matches(ua, "(msie [5-9]\\.|firefox/[1-3][0-9]\\.|chrome/[1-5][0-9]\\.") ,
2, 0)
| eval missing_fields = if(
!matches(ua, "mozilla/5\.0") and matches(ua, "^mozilla/"),
2, 0)
| eval SuspicionScore = known_malware_ua + outdated_browser + missing_fields + non_browser
| where SuspicionScore > 0
| fields _messageTime, src_ip, http_user_agent, uri_path, process_name, SuspicionScore
| sort by SuspicionScore, _messageTime desc
| count by src_ip, http_user_agent, SuspicionScoreSumo Logic query detecting browser fingerprint spoofing through HTTP proxy and web access logs by scoring User-Agent strings for known malware signatures, outdated browser versions, and malformed UA formats originating from non-browser processes.
Data Sources
Required Tables
False Positives & Tuning
- Custom HTTP client libraries (Java HttpClient, Python requests, Go net/http) that use default or customized User-Agent strings during legitimate API integrations
- CI/CD pipeline tools or build agents making outbound HTTP calls with service-specific User-Agent strings that match legacy browser patterns
- Headless browser automation for test suites (Selenium, Playwright in headless mode) that emit UA strings different from standard browser defaults
Other platforms for T1036.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HTTP Request with Spoofed Browser User-Agent via curl
Expected signal: Sysmon Event ID 1: Process Create for curl.exe with '-A' and the full User-Agent string in CommandLine. Sysmon Event ID 3: Network Connection from curl.exe to httpbin.org IP on port 80. DeviceNetworkEvents with InitiatingProcessFileName=curl.exe connecting to external IP. Proxy logs show HTTP request with Chrome User-Agent from a non-browser process.
- Test 2PowerShell HTTP Request with Spoofed User-Agent
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with 'User-Agent' and 'MSIE 10.0' in CommandLine. Sysmon Event ID 3: Network Connection from powershell.exe to httpbin.org. PowerShell ScriptBlock Log Event ID 4104 with the full script content. Proxy logs show IE10 User-Agent from PowerShell process.
- Test 3Python HTTP Request Mimicking Browser Fingerprint
Expected signal: Auditd EXECVE record for python3 with the HTTP request script. Network connection from python3 to httpbin.org on port 80. Proxy logs show full browser-like header set (User-Agent, Accept, Accept-Language, Accept-Encoding) originating from a Python process rather than a browser.
References (7)
- https://attack.mitre.org/techniques/T1036/012/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent
- https://arxiv.org/pdf/2110.10129
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1036.012 including response playbook, investigation guide, and atomic red team tests.