Keep an Eye on Your Users Mobile Devices (Simple Inventory)
Last Updated: 2021-09-24 08:10:24 UTC
by Xavier Mertens (Version: 1)
Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it's not yet the case, you probably have many requests to implement this. They are two ways to achieve this: you provide corporate devices to all users. From a risk perspective, it's the best solution: you select the models and control them. But it's very expensive and people don't like to carry two devices (a personal and a corporate one). Hopefully, if you use a Microsoft Exchange platform, there are ways to authorize personal devices to access corporate emails with a software component called ActiveSync. ActiveSync allows deploying basic security policies like forcing the device to be locked with a password, force a minimum password length, etc. However, it's not a real MDM ("Mobile Device Management").
But you've hundreds or thousands of users connecting their mobile devices to your Exchange server how to keep an inventory of models, hardware, etc. Especially if the system administrators are not ready to share some information with your security team? ActiveSync is based on open protocols: HTTP(S) and XML. To synchronize, the ActiveSync server must be facing the Internet like any web server. So it mean we can gather some logs? Via a reverse-proxy or directly on the IIS server running the ActiveSync service?
Because network data is a goldmine (you can learn this topic in FOR572 - "Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response"), let's have a look at the IIS logs, located in
C:\inetpub\logs\LogFiles\W3SVC1\*.log. Here is a sample HTTP request: (the line is pretty long and has been beautified)
2021-09-20 12:10:46 192.168.4.101 POST /Microsoft-Server-ActiveSync/default.eas \ Cmd=Ping&User=domain.test%5Cuser01&DeviceId=XXXXXXXX&DeviceType=SamsungDevice& \ CorrelationID=<empty>;&ClientId=XXXXXXXXX&cafeReqId=817b3ec9-6360-4526-a738-xxxxxxxxxxxx; \ 443 domain.test\user01 10.0.0.11 Android-SAMSUNG-SM-G950F/101.9 - 200 0 0 609
One of the interesting fields is the User-Agent (like any HTTP request) but the ActiveSync client submits the device model, OS & version through this field! Here are some User-Agent strings:
Android-LG-G810/9.10.11 Android-SAMSUNG-SM-A505FN/101.10 Apple-iPad5C3/1807.82 Apple-iPhone10C4/1807.69 Apple-iPhone13C4/1807.82
Wait, did you read carefully the last sample? Does it mean that some users are already happy owners of a brand new iPhone 13? Unfortunately, it's not so easy! The ActiveSync user-agent does not reflect the model in "clear". It contains a reference to a model and you must convert it to the right device name. Example with "Apple-iPhone10C4/1807.82":
"iPhone 10C4" = "iPhone 8"
"1807.69" = "iOS 14.7"
How do we find the corresponding values? There are plenty of lists available online like this one for iOS
Now, you have all the requirements to build an inventory of all the mobile devices connecting to your ActiveSync instance and learn about:
- Outdated devices
- Suspicious devices (based on models not sold in Europe or your region)
- People using multiple devices (because we also have the username in the HTTP event log)
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant