1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Browser Fingerprint

Masquerading: Browser Fingerprint

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename Legitimate Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Resource Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension
T1036.008 Masquerade File Type
T1036.009 Break Process Trees
T1036.010 Masquerade Account Name
T1036.011 Overwrite Process Arguments
T1036.012 Browser Fingerprint

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.[1]

Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.[2]

ID: T1036.012
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 22 September 2025
Last Modified: 19 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0512 FatDuke

FatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser.[3]

Mitigations

ID Mitigation Description
M1047 Audit

Review and limit the fingerprinting surface to only necessary information on each browser to make the browser less unique. For example, the available fonts may be limited to a standard font list. [4]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0898 Detection of Spoofed User-Agent AN2029

Process execution without GUI context (e.g., powershell.exe, wscript.exe) generates HTTP traffic with a spoofed User-Agent mimicking a legitimate browser. No corresponding UI application (e.g., msedge.exe) is active or in parent lineage. The User-Agent deviates from known enterprise baselines or contains spoofed platform indicators. User-Agent strings can be gathered with API calls such as ShellExecuteW to open the default browser on a socket to receive an HTTP reply, or by hard coding the User-Agent string for a specific browser.
AN2031

Detection of HTTP outbound requests with inconsistent or spoofed User-Agent headers from command-line tools (e.g., curl, wget, python requests) following interactive user shells or scheduled jobs outside of normal user session behavior.
AN2032

Observation of scripted network requests (e.g., using osascript, curl, or python) that include mismatched or spoofed browser User-Agent strings compared to the typical macOS Safari or Chrome baseline, especially when triggered by non-interactive launch agents, login hooks, or background daemons.

References

  1. MDN contributors. (2025, July 4). User-Agent header. Retrieved October 19, 2025.
  2. Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved September 22, 2025.
  1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  2. W3C. (2025, September 12). Mitigating Browser Fingerprinting in Web Specifications. Retrieved September 22, 2025.