CVE-2024-38112 CrowdStrike LogScale · LogScale

Detect CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in CrowdStrike LogScale

Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
event_simpleName=ProcessRollup2
| search ImageFileName=~"*\\iexplore.exe"
    AND (CommandLine=~"*mhtml:*" OR CommandLine=~"*ms-its:*" OR CommandLine=~"*mk:@MSITStore*" OR CommandLine=~"*its://*")
    AND ParentBaseFileName IN ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe", "explorer.exe", "msedge.exe", "chrome.exe", "firefox.exe")
| eval uri_type=case(
    match(CommandLine, "(?i)mhtml:"), "mhtml",
    match(CommandLine, "(?i)ms-its:"), "ms-its",
    match(CommandLine, "(?i)mk:@MSITStore"), "mk-msitstore",
    true(), "other-legacy"
  )
| table _time, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, uri_type
| sort -_time
critical severity high confidence

CrowdStrike Falcon query detecting iexplore.exe process launches with legacy MSHTML URI protocol arguments from document or browser parent processes, covering the CVE-2024-38112 attack chain used by Void Banshee.

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2

False Positives & Tuning

  • Enterprise software that invokes iexplore.exe with mhtml: for legacy report generation
  • CHM-based documentation systems launched from Office applications
  • Authorized red team or penetration testing activities using CVE-2024-38112 proof-of-concept

Other platforms for CVE-2024-38112

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file

    Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80

  2. Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file

    Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation

  3. Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution

    Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1566.001Spearphishing AttachmentT1203Exploitation for Client ExecutionT1218System Binary Proxy Execution

Same Tactic: Initial Access

Popular Detections