T1036.012: Browser Fingerprint
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.[1]
Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.[2]
Analyst context for executives and security teams
Browser Fingerprint is a stealth-focused masquerading behavior where an adversary makes web traffic look like it came from a plausible browser and system by spoofing attributes such as User-Agent, operating system, language, platform, resolution, and time zone. For leaders, the practical issue is that controls relying on browser identity or simple header checks can be misled unless they are backed by broader audit evidence and anomaly review.
Executive priority
Treat this as a coverage-validation item for web, SOC, and audit programs rather than a standalone vulnerability. Ask whether security teams can prove which browser and system attributes are logged, whether spoofed User-Agent activity would be noticed, and whether investigations can correlate web traffic with endpoint context on Linux, macOS, and Windows. This matters for resilience because weak audit trails can slow incident decisions when adversary traffic blends into normal browser activity.
Technical view
ATT&CK provides no official detection text for this sub-technique, but the relationship to DET0898, Detection of Spoofed User-Agent, points defenders toward validating browser-header spoofing analytics. SOC and detection teams should test whether web, proxy, and endpoint telemetry can expose inconsistencies between claimed browser attributes and observed system or session behavior. Because this is a sub-technique of Masquerading under the stealth tactic, detections should not rely only on the User-Agent string; they should correlate HTTP attributes with endpoint, user, and network context where available. ATT&CK also records FatDuke as software that uses this technique, which supports including this behavior in threat-informed detection reviews without assuming current activity in any environment.
Likely telemetry
- HTTP request headers, especially User-Agent
- Web server, reverse proxy, secure web gateway, or network proxy logs
- Browser and system attribute data where collected, such as operating system, language, platform, resolution, or time zone
- Endpoint network activity from Linux, macOS, and Windows systems
- Audit logs supporting user behavior and system activity review
Detection direction
- Validate whether DET0898-style spoofed User-Agent logic exists and whether it is enabled for relevant web traffic sources.
- Look for mismatches between claimed browser/system attributes and known endpoint or session context, while tuning for legitimate browser updates, privacy tools, automation, and enterprise tooling that may alter headers.
- Avoid single-field detections based only on User-Agent values; prioritize correlation across request headers, source endpoint, user/session behavior, and historical norms.
- Confirm log retention and parsing quality for browser-related fields, because missing or normalized-away headers can create a blind spot.
- Use the parent Masquerading context to review whether other artifact or identity claims are being trusted without corroborating telemetry.
Mitigation priorities
- Implement and regularly review audit configurations as described by M1047, with emphasis on activity and system logs relevant to browser-originated web traffic.
- Ensure web/proxy and endpoint audit sources preserve enough browser and system attribute evidence to support anomaly analysis and compliance review.
- Prioritize review workflows that compare user behavior and system context over time rather than treating browser headers as authoritative.
- Document detection assumptions and known blind spots so incident responders understand when browser identity evidence is weak or missing.
Analyst notes and limits
This object is a new ATT&CK v19.1 enterprise sub-technique for Linux, macOS, and Windows under the stealth tactic. The official description emphasizes spoofing browser and system attributes to blend in with legitimate traffic, with possible information gathering through System Information Discovery or adversary-controlled websites. The most actionable relationship is DET0898 for spoofed User-Agent detection and M1047 Audit for mitigation direction.
ATT&CK does not provide official detection text for this technique, and the supplied relationships do not include detailed detection logic. Local logging, proxy architecture, endpoint visibility, and normal browser diversity will determine whether this behavior is observable and how noisy detections may be.
Browser Fingerprint
Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc. The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.[1]
Adversaries may gather this information through System Information Discovery or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036 | Masquerading | This object subtechnique of Masquerading. |
Groups, software, and campaigns
S0512: FatDuke
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 88bed9c9e457… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mozilla User Agent
MDN contributors. (2025, July 4). User-Agent header. Retrieved October 19, 2025.
Open source URL -
[2]
Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques
Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026.
Open source URL -
[3]
mitre-attack T1036.012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.