Detect CVE-2024-38112 - Windows MSHTML Spoofing via .url File Phishing (Void Banshee) in Sumo Logic CSE
Detects exploitation of CVE-2024-38112, a Windows MSHTML spoofing vulnerability actively exploited by the Void Banshee threat group. Attackers deliver crafted .url files that invoke the legacy Internet Explorer MSHTML engine (mhtml: or ms-its: URI handlers) to load remote malicious content, bypassing modern browser security controls. Patch released July 2024; in CISA KEV catalog.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where (Image matches "*\\iexplore.exe" or process_name matches "*iexplore.exe")
| where (
toLowerCase(CommandLine) matches "*mhtml:*" or
toLowerCase(CommandLine) matches "*ms-its:*" or
toLowerCase(CommandLine) matches "*mk:@msitstore*" or
toLowerCase(CommandLine) matches "*its:*"
)
| where (
toLowerCase(ParentImage) matches "*outlook.exe*" or
toLowerCase(ParentImage) matches "*winword.exe*" or
toLowerCase(ParentImage) matches "*excel.exe*" or
toLowerCase(ParentImage) matches "*powerpnt.exe*" or
toLowerCase(ParentImage) matches "*explorer.exe*" or
toLowerCase(ParentImage) matches "*msedge.exe*" or
toLowerCase(ParentImage) matches "*chrome.exe*" or
toLowerCase(ParentImage) matches "*firefox.exe*"
)
| count by _sourceHost, User, CommandLine, ParentImage
| sort by _count descSumo Logic query detecting iexplore.exe invocations with MSHTML legacy URI schemes from mail clients and browsers, indicating potential CVE-2024-38112 exploitation via crafted .url files.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise applications with embedded IE compatibility mode that use mhtml: protocol handlers
- Older compiled HTML help (.chm) files opened from Office applications via ms-its: protocol
- IT department scripts that use iexplore.exe for legacy intranet site testing
Other platforms for CVE-2024-38112
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate CVE-2024-38112: mhtml URI via crafted .url file
Expected signal: Sysmon EventID 11 for .url file creation in %TEMP%; Sysmon EventID 1 for explorer.exe launching iexplore.exe with mhtml: in the command line; Sysmon EventID 3 for iexplore.exe attempting outbound connection to 192.168.100.200:80
- Test 2Simulate CVE-2024-38112: ms-its URI handler via .url file
Expected signal: Sysmon EventID 1 for iexplore.exe or hh.exe with ms-its: in CommandLine; Sysmon EventID 3 for outbound HTTP to 192.168.100.200; Sysmon EventID 11 for .url file creation
- Test 3Simulate Void Banshee delivery chain: Outlook attachment drop and .url execution
Expected signal: Sysmon EventID 11 for .url file in Outlook INetCache path; Sysmon EventID 1 for cmd.exe parent and iexplore.exe child with mhtml: CommandLine; Sysmon EventID 3 for iexplore.exe outbound connection attempt; Windows Security EventID 4688 for process creation chain
Unlock Pro Content
Get the full detection package for CVE-2024-38112 including response playbook, investigation guide, and atomic red team tests.