Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Keep an Eye on Your Users Mobile Devices (Simple Inventory)

Published: 2021-09-24
Last Updated: 2021-09-24 08:10:24 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it's not yet the case, you probably have many requests to implement this. They are two ways to achieve this: you provide corporate devices to all users. From a risk perspective, it's the best solution: you select the models and control them. But it's very expensive and people don't like to carry two devices (a personal and a corporate one). Hopefully, if you use a Microsoft Exchange platform, there are ways to authorize personal devices to access corporate emails with a software component called ActiveSync[1]. ActiveSync allows deploying basic security policies like forcing the device to be locked with a password, force a minimum password length, etc. However, it's not a real MDM ("Mobile Device Management").

But you've hundreds or thousands of users connecting their mobile devices to your Exchange server how to keep an inventory of models, hardware, etc. Especially if the system administrators are not ready to share some information with your security team? ActiveSync is based on open protocols: HTTP(S) and XML. To synchronize, the ActiveSync server must be facing the Internet like any web server. So it mean we can gather some logs? Via a reverse-proxy or directly on the IIS server running the ActiveSync service?

Because network data is a goldmine (you can learn this topic in FOR572[2] - "Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response"), let's have a look at the IIS logs, located in C:\inetpub\logs\LogFiles\W3SVC1\*.log. Here is a sample HTTP request: (the line is pretty long and has been beautified)

2021-09-20 12:10:46 POST /Microsoft-Server-ActiveSync/default.eas \
  Cmd=Ping&User=domain.test%5Cuser01&DeviceId=XXXXXXXX&DeviceType=SamsungDevice& \
  CorrelationID=<empty>;&ClientId=XXXXXXXXX&cafeReqId=817b3ec9-6360-4526-a738-xxxxxxxxxxxx; \
  443 domain.test\user01 Android-SAMSUNG-SM-G950F/101.9 - 200 0 0 609

One of the interesting fields is the User-Agent (like any HTTP request) but the ActiveSync client submits the device model, OS & version through this field! Here are some User-Agent strings:


Wait, did you read carefully the last sample? Does it mean that some users are already happy owners of a brand new iPhone 13? Unfortunately, it's not so easy! The ActiveSync user-agent does not reflect the model in "clear". It contains a reference to a model and you must convert it to the right device name. Example with "Apple-iPhone10C4/1807.82":

"iPhone 10C4" = "iPhone 8"
"1807.69" = "iOS 14.7"

How do we find the corresponding values? There are plenty of lists available online like this one for iOS[3]

Now, you have all the requirements to build an inventory of all the mobile devices connecting to your ActiveSync instance and learn about:

  • Outdated devices
  • Suspicious devices (based on models not sold in Europe or your region)
  • People using multiple devices (because we also have the username in the HTTP event log)
  • ...


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
Sep 23rd 2021
2 days ago by Xme (0 comments)

An XML-Obfuscated Office Document (CVE-2021-40444)
Sep 22nd 2021
3 days ago by DidierStevens (0 comments)

A First Look at Apple's iOS 15 "Private Relay" feature.
Sep 21st 2021
3 days ago by Johannes (0 comments)

#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports.
Sep 20th 2021
4 days ago by Johannes (0 comments)

Video: Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 19th 2021
5 days ago by DidierStevens (0 comments)

Simple Analysis Of A CVE-2021-40444 .docx Document
Sep 18th 2021
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
3 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
5 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
5 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
6 months ago by (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
7 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
2 months ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 months ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
2 months ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
6 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)