Skip to content

DET0898 Detection of Spoofed User-Agent

Item Value
ID DET0898
Version 1.0
Created 23 October 2025
Last Modified 12 November 2025

Technique Detected: T1036.012 (Browser Fingerprint)

Analytics

Windows

AN2029

Process execution without GUI context (e.g., powershell.exe, wscript.exe) generates HTTP traffic with a spoofed User-Agent mimicking a legitimate browser. No corresponding UI application (e.g., msedge.exe) is active or in parent lineage. The User-Agent deviates from known enterprise baselines or contains spoofed platform indicators. User-Agent strings can be gathered with API calls such as ShellExecuteW to open the default browser on a socket to receive an HTTP reply, or by hard coding the User-Agent string for a specific browser.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow Inbound HTTP POST with suspicious payload size or user-agent
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-Process API Calls
Mutable Elements
Field Description
HeaderSignatureMatch Specific HTTP header anomalies or patterns (e.g., spoofed User-Agent).
UserAgentFingerprint Flag browser-based sessions
NonBrowserProcessList List of non-browser binaries expected not to initiate web requests (e.g., powershell.exe, cscript.exe)

Linux

AN2031

Detection of HTTP outbound requests with inconsistent or spoofed User-Agent headers from command-line tools (e.g., curl, wget, python requests) following interactive user shells or scheduled jobs outside of normal user session behavior.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow http.log, conn.log
Network Connection Creation (DC0082) auditd:SYSCALL outbound connections
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
HeaderSignatureMatch Specific HTTP header anomalies or patterns (e.g., spoofed User-Agent).
UserAgentFingerprint Flag browser-based sessions

macOS

AN2032

Observation of scripted network requests (e.g., using osascript, curl, or python) that include mismatched or spoofed browser User-Agent strings compared to the typical macOS Safari or Chrome baseline, especially when triggered by non-interactive launch agents, login hooks, or background daemons.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) macos:unifiedlog network connection events
Network Traffic Content (DC0085) NSM:Flow Inbound HTTP POST with suspicious payload size or user-agent
Process Creation (DC0032) macos:unifiedlog exec logs
Mutable Elements
Field Description
UserAgentFingerprint Flag browser-based sessions
HeaderSignatureMatch Specific HTTP header anomalies or patterns (e.g., spoofed User-Agent).