CVE-2024-38112 Splunk · SPL

Detect Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in Splunk

CVE-2024-38112 is a high-severity (CVSS 7.5) spoofing vulnerability in the Windows MSHTML Platform. Threat actors crafted malicious .url files that, when opened, invoke Internet Explorer's MSHTML engine via the mhtml: URI handler — even on systems where IE is disabled or removed. This allowed attackers to bypass modern browser security controls and render attacker-controlled HTML/JavaScript content, leading to code execution or credential phishing. The vulnerability was actively exploited by the APT group Void Banshee as a zero-day to deliver infostealer malware (Atlantida Stealer) targeting North American and European organisations. CISA added this to the KEV catalog with a remediation deadline of July 30, 2024.

MITRE ATT&CK

Tactic
Initial Access Execution

SPL Detection Query

Splunk (SPL)
spl 
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "crowdstrike:events:sensor")
(
  (EventCode=1 OR event_simpleName="ProcessRollup2")
  AND (
    (Image="*\\iexplore.exe" AND ParentImage IN ("*\\explorer.exe", "*\\WINWORD.EXE",
      "*\\EXCEL.EXE", "*\\OUTLOOK.EXE", "*\\rundll32.exe"))
    OR (CommandLine="*mhtml:*")
    OR (CommandLine="*url.dll,FileProtocolHandler*" AND CommandLine="*.url*")
  )
)
| eval CVE="CVE-2024-38112"
| eval ThreatType=case(
    match(CommandLine, "mhtml:"), "MHTML-URI-Invocation",
    match(Image, "iexplore"), "IE-Spawned-By-Unexpected-Parent",
    true(), "URL-File-Handler-Execution"
  )
| stats count AS ProcessEvents,
        values(Image) AS Processes,
        values(ParentImage) AS ParentProcesses,
        values(CommandLine) AS CommandLines
  BY host, user, CVE, ThreatType, _time span=1h
| where ProcessEvents >= 1
| table _time, host, user, ThreatType, Processes, ParentProcesses, CommandLines, CVE
| sort - ProcessEvents
high severity high confidence

Detects CVE-2024-38112 exploitation by monitoring for iexplore.exe spawned by Office or shell processes, mhtml: URI handler invocations, and url.dll FileProtocolHandler executions triggered by .url files — the exact mechanism used by Void Banshee to invoke IE's MSHTML engine on patched systems.

Data Sources

Sysmon (Event ID 1 — process creation)CrowdStrike Falcon process telemetry

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legacy enterprise apps explicitly launching IE for specific intranet URLs (create a named allowlist)
  • Help documentation that uses mhtml: links
Download portable Sigma rule (.yml)

Other platforms for CVE-2024-38112

Microsoft Sentinel (KQL) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke mhtml: URI handler via .url shortcut file

    Expected signal: Sysmon Event ID 1 — iexplore.exe spawned by explorer.exe with mhtml: URI in command line.

Last updated: 2026-04-22 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566.001Spearphishing Attachment

Related Techniques

T1566.001Spearphishing AttachmentT1204.002Malicious FileT1059.005Visual BasicT1027Obfuscated Files or Information

Same Tactic: Initial Access

Popular Detections