title: Browser Fingerprint (T1036.012)
id: df00tech-t1036-012
status: experimental
description: "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses. This technique was documented in the FatDuke malware, which mimics a compromised user's traffic by using the same user agent as the installed browser."
references:
  - https://attack.mitre.org/techniques/T1036/012/
  - https://df00tech.com/detections/T1036.012
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software updaters that use HTTP with browser-like User-Agent strings (e.g., Windows Update, Adobe updaters, application auto-update mechanisms)"
  - "System administration tools like curl, wget, Invoke-WebRequest used in legitimate scripts that set custom User-Agent strings for API compatibility"
  - Monitoring and health-check agents that use HTTP requests with User-Agent strings to verify web service availability
  - "Development and testing tools (Postman, Selenium, Playwright) that set User-Agent headers as part of web application testing workflows"
level: medium