CVE-2024-38112 Elastic Security · Elastic

Detect CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in Elastic Security

Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=30s
  [file where event.action == "creation" and file.extension == "url"
   and process.name : ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "msedge.exe", "chrome.exe", "firefox.exe")]
  [process where event.action == "start" and process.name == "iexplore.exe"
   and process.command_line : ("*mhtml:*", "*ms-its:*", "*mk:@MSITStore*", "*its:*")
   and process.parent.name : ("explorer.exe", "outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "msedge.exe", "chrome.exe", "firefox.exe")]
critical severity high confidence

EQL sequence correlating a .url file creation by a mail or browser process with a subsequent iexplore.exe launch using legacy MSHTML URI handlers within 30 seconds — high-fidelity pattern for CVE-2024-38112 exploitation.

Data Sources

Elastic Endpoint SecurityWinlogbeat with Sysmon

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*

False Positives & Tuning

  • Intranet portals that distribute .url shortcut files and use IE-compatible rendering for legacy content
  • Helpdesk or IT automation tooling that creates .url files and programmatically opens them in IE for compatibility checks
  • Security testing or red team exercises conducted in controlled lab environments

Other platforms for CVE-2024-38112

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file

    Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80

  2. Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file

    Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation

  3. Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution

    Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1566.001Spearphishing AttachmentT1203Exploitation for Client ExecutionT1218System Binary Proxy Execution

Same Tactic: Initial Access

Popular Detections