Detect CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in IBM QRadar
Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS 'Event Time',
sourceip AS 'Source IP',
username AS 'User',
"Process Name" AS 'Process',
"Command" AS 'Command Line',
"Parent Process Name" AS 'Parent Process',
QIDNAME(qid) AS 'Event Name',
logsourcename(logsourceid) AS 'Log Source'
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND LOWER("Process Name") LIKE '%iexplore.exe%'
AND (
LOWER("Command") LIKE '%mhtml:%'
OR LOWER("Command") LIKE '%ms-its:%'
OR LOWER("Command") LIKE '%mk:@msitstore%'
OR LOWER("Command") LIKE '%its:%'
)
AND LOWER("Parent Process Name") IN ('explorer.exe','outlook.exe','winword.exe','excel.exe','powerpnt.exe','msedge.exe','chrome.exe','firefox.exe')
AND DATEFORMAT(devicetime,'yyyy-MM-dd') >= DATEADD('day',-7,CURRENT_DATE)
ORDER BY devicetime DESC
LIMIT 1000QRadar AQL query identifying Internet Explorer processes launched with MSHTML legacy URI schemes from document or browser parent processes, the exploitation pattern for CVE-2024-38112.
Data Sources
Required Tables
False Positives & Tuning
- Legacy intranet applications that invoke iexplore.exe with mhtml: or ms-its: arguments for compatibility
- CHM-based help systems launched from document editors
- Authorized penetration testing activities targeting the CVE-2024-38112 attack vector
Other platforms for CVE-2024-38112
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file
Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80
- Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file
Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation
- Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution
Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain
Unlock Pro Content
Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.