1. Home
  2. ATT&CK Techniques
  3. T1036
  4. T1036.012
Stealth

T1036.012: Browser Fingerprint

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc....

T1036.012 · Sub-technique ·3 platforms

Description

Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)

Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)

Platforms

LinuxmacOSWindows

Mitigations (1)

AuditM1047

Review and limit the fingerprinting surface to only necessary information on each browser to make the browser less unique. For example, the available fonts may be limited to a standard font list. (Citation: W3C)

Associated Software (1)

IDNameTypeContext
S0512FatDukeMalware[FatDuke](https://attack.mitre.org/software/S0512) has attempted to mimic a compromised user's traffic by using the same user agent as the installed b...

References

Frequently Asked Questions

What is T1036.012 (Browser Fingerprint)?

T1036.012 is a MITRE ATT&CK technique named 'Browser Fingerprint'. It belongs to the Stealth tactic(s). Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc....

How can T1036.012 be detected?

Detection of T1036.012 (Browser Fingerprint) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1036.012?

There are 1 documented mitigations for T1036.012. Key mitigations include: Audit.

Which threat groups use T1036.012?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.