< Back to all blog posts

Cookies + Milk: Detecting Cookies, Headless Browsers, and CLI tools with GreyNoise

Remy @_mattata

Our research team is always looking for ways to improve our tagging methodology to enable GreyNoise users to understand actor behavior and tooling. GreyNoise already identifies clients with JA3 and HASSH data.

To expand on this work, GreyNoise recently added 3 new tags to shed more light on how various internet background noise-makers using HTTP clients manage their internal state. The below tags improve client fingerprinting for HTTP based protocols.

  • Carries HTTP Referer: This tag identifies HTTP clients that include a “Referer” header which indicates what page or site the HTTP request was referred from.

  • Stores HTTP Cookies - This tag identifies HTTP clients that allow “Cookies” to be set and stored in the client’s storage and are sent with subsequent requests.

On their own, each individual tag contributes a small indication of how the HTTP client manages it’s internal state. While that alone has value in helping to profile the actor behind the IP and possibly track them across IPs, the more interesting insights can be seen when these tags are viewed holistically.

Figure 1: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Aug. 25, 2021.
Figure 1: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Aug. 25, 2021.

Figure 2: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Sep. 10, 2021.
Figure 2: Venn Diagram representing IP's that match each tag and their respective overlaps, data pulled on Sep. 10, 2021.

As seen above, the tagged activity is not homogenous, allowing us a glimpse into the diversity of tooling or techniques used in scanning and opportunistic exploitation. While many actors may use the same exploit vector or payload, they may launch them from tools that support different HTTP features. These new tags may help the analyst to determine if two IPs appear to be using the same tools.

Figure 3: IP Details page for 42.236.10.75. See it in the GreyNoise Viz.
Figure 3: IP Details page for 42.236.10.75. See it in the GreyNoise Viz.

For example, in Figure 3 we are able to determine with a high degree of confidence that the IP shown above is orchestrating a full-featured web browser (such as Puppeteer) to scan the internet. We see this because the IP exhibits browser-like behavior and attributes including carrying a referer header, accepting cookies, and following redirects.

We hope these new tags offer our users greater insight into the tooling and libraries utilized by internet background noise-makers. Let us know what you think by sharing your feedback on the GreyNoise Community Slack channel (must have a GreyNoise account).

GreyNoise Research
Tags