CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee)
Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows, MSHTML Platform
- Versions
- Windows 10, Windows 11, Windows Server 2008-2022
Weakness (CWE)
Timeline
- Disclosed
- July 9, 2024
- Patched
- July 9, 2024
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
What is CVE-2024-38112 CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee)?
CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) (CVE-2024-38112) maps to the Initial Access and Execution and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousUriHandlers = dynamic(['mhtml:', 'ms-its:', 'its:', 'mk:@MSITStore']);
let suspiciousParents = dynamic(['explorer.exe', 'outlook.exe', 'winword.exe', 'excel.exe', 'powerpnt.exe', 'msedge.exe', 'chrome.exe', 'firefox.exe']);
DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where FileName =~ 'iexplore.exe' or FileName =~ 'exthost.exe'
| where InitiatingProcessFileName has_any (suspiciousParents)
| extend CommandLineLower = tolower(ProcessCommandLine)
| where CommandLineLower has_any (suspiciousUriHandlers)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| union (
DeviceFileEvents
| where TimeGenerated >= ago(7d)
| where FileName endswith '.url'
| where InitiatingProcessFileName has_any ('outlook.exe', 'winword.exe', 'excel.exe', 'powerpnt.exe', 'msedge.exe', 'chrome.exe', 'firefox.exe')
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName
)
| order by TimeGenerated descDetects iexplore.exe or related processes launched by common document/browser applications with mhtml:, ms-its:, or mk: URI handlers in the command line, as well as .url file drops from mail/browser clients — the core exploitation pattern for CVE-2024-38112.
Data Sources
Required Tables
False Positives
- Legacy enterprise applications that legitimately invoke Internet Explorer via mhtml: or ms-its: URI handlers for help documentation
- IT administrator tools or scripts that programmatically launch iexplore.exe for compatibility testing
- Security awareness training platforms that simulate phishing via .url files in a controlled environment
Sigma rule & cross-platform mapping
The detection logic for CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) (CVE-2024-38112) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-38112
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file
Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80
- Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file
Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation
- Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution
Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain
Unlock Pro Content
Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.