Which SIEM platforms have a CVE-2024-30078 detection rule?

df00tech provides CVE-2024-30078 (CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2024-30078 detection?

The CVE-2024-30078 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2024-30078?

Common false positives for CVE-2024-30078 include: Legitimate Wi-Fi driver updates or reinstallations by IT administrators; System administrators running diagnostic tools against wireless interfaces; Antivirus or EDR products scanning nwifi.sys during scheduled scans.

CVE-2024-30078: CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network — Detection (KQL, SPL, Sigma + 5 SIEMs)

Q: What data sources are required to detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network (CVE-2024-30078)?

Detecting CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, Windows Event Logs.

Microsoft Sentinel / Defender

kusto

let timeWindow = 1h;
let suspiciousDriverEvents = DeviceEvents
| where Timestamp > ago(timeWindow)
| where ActionType in ("DriverLoad", "ServiceInstalled")
| where InitiatingProcessFileName =~ "nwifi.sys" or FileName =~ "nwifi.sys"
| project Timestamp, DeviceId, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine;
let wifiCrashEvents = DeviceEvents
| where Timestamp > ago(timeWindow)
| where ActionType == "ProcessCrashed" or ActionType == "KernelPanicDetected"
| where InitiatingProcessFileName has_any ("wlanext.exe", "nwifi.sys", "wlansvc.dll")
| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessFileName;
let unexpectedNetworkSpawn = DeviceProcessEvents
| where Timestamp > ago(timeWindow)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has "wlansvc"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceId, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName;
union suspiciousDriverEvents, wifiCrashEvents, unexpectedNetworkSpawn
| extend AlertReason = case(
    ActionType == "DriverLoad" and FileName =~ "nwifi.sys", "Suspicious Wi-Fi driver reload",
    ActionType == "ProcessCrashed" and InitiatingProcessFileName has "nwifi", "Wi-Fi driver crash - possible exploitation attempt",
    FileName in~ ("cmd.exe", "powershell.exe"), "Unexpected shell spawned from Wi-Fi service context",
    "Anomalous Wi-Fi driver activity"
  )
| order by Timestamp desc

Detects suspicious Windows Wi-Fi driver activity indicative of CVE-2024-30078 exploitation: driver reloads, crashes in nwifi.sys context, and unexpected process spawning from the WLAN service (wlansvc). Combines DeviceEvents and DeviceProcessEvents to surface both kernel-level anomalies and post-exploitation lateral movement.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Windows Event Logs

Required Tables

DeviceEvents DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate Wi-Fi driver updates or reinstallations by IT administrators
System administrators running diagnostic tools against wireless interfaces
Antivirus or EDR products scanning nwifi.sys during scheduled scans
Windows Update installing legitimate Wi-Fi driver patches
Third-party wireless management software interacting with WLAN service

Splunk

spl

index=windows (sourcetype="WinEventLog:System" OR sourcetype="XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational" OR sourcetype="WinEventLog:Security")
| eval EventTime=strptime(_time, "%Y-%m-%dT%H:%M:%S")
| eval isWifiCrash=if(match(Message, "(?i)nwifi\.sys|wlansvc|wlanext\.exe") AND (EventCode=41 OR EventCode=1001 OR EventCode=6008), 1, 0)
| eval isUnexpectedSpawn=if(match(ParentImage, "(?i)svchost\.exe") AND match(ParentCommandLine, "(?i)wlansvc") AND match(Image, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| eval isDriverEvent=if((EventCode=7045 OR EventCode=7000 OR EventCode=7023) AND match(Message, "(?i)nwifi|wi-fi driver|wlan"), 1, 0)
| where isWifiCrash=1 OR isUnexpectedSpawn=1 OR isDriverEvent=1
| eval DetectionReason=case(
    isWifiCrash=1, "Wi-Fi driver crash or kernel panic - potential CVE-2024-30078 exploitation",
    isUnexpectedSpawn=1, "Shell process spawned from WLAN service - post-exploitation indicator",
    isDriverEvent=1, "Suspicious Wi-Fi driver service event",
    true(), "Unknown Wi-Fi anomaly"
  )
| table _time, host, EventCode, ComputerName, Message, DetectionReason, ParentImage, Image, ParentCommandLine, CommandLine
| sort -_time

Splunk search across Windows System, Security, and Driver Framework event logs to identify CVE-2024-30078 exploitation indicators: kernel crashes referencing nwifi.sys, unexpected shell execution under the WLAN service, and suspicious driver service registration events.

critical severity medium confidence

Data Sources

Windows Event Log Sysmon Windows Defender

Required Sourcetypes

WinEventLog:System XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Windows Update installing patched Wi-Fi drivers triggering service restart events
Hardware failures causing genuine nwifi.sys crashes unrelated to exploitation
IT administrators remotely managing wireless configurations via PowerShell remoting
Wireless network diagnostics tools that spawn child processes from svchost context
Antivirus quarantine operations affecting Wi-Fi driver files

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where process.parent.name == "svchost.exe" and
   process.parent.args : "*wlansvc*" and
   process.name in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")]
  [network where process.name in ("cmd.exe", "powershell.exe", "rundll32.exe") and
   network.direction == "outgoing" and
   not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]

EQL sequence detection for CVE-2024-30078 post-exploitation: identifies a shell process spawned under the WLAN service context (svchost -k wlansvc) followed within 5 minutes by an outbound network connection from that child process, suggesting successful code execution and C2 callback.

critical severity high confidence

Data Sources

Elastic Endpoint Windows Event Logs Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate administrative PowerShell scripts invoked from scheduled tasks running under svchost
Windows built-in diagnostics that spawn cmd.exe transiently during network troubleshooting
Third-party wireless management tools making outbound connections after interacting with WLAN service
False sequence matches during Windows Update when driver components briefly spawn processes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  "sourceip",
  "destinationip",
  username,
  "Process Name" AS ProcessName,
  "Parent Process Name" AS ParentProcess,
  "Command" AS CommandLine,
  QIDNAME(qid) AS EventName,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Event Log - Application', 'Sysmon')
  AND (
    (
      "Parent Process Name" ILIKE '%svchost%'
      AND "Command" ILIKE '%wlansvc%'
      AND "Process Name" ILIKE ANY ('%cmd.exe%', '%powershell.exe%', '%wscript.exe%', '%mshta.exe%', '%rundll32.exe%')
    )
    OR (
      EventID IN (41, 1001, 6008)
      AND ("Event Message" ILIKE '%nwifi%' OR "Event Message" ILIKE '%wlanext%' OR "Event Message" ILIKE '%wi-fi driver%')
    )
    OR (
      EventID IN (7045, 7000)
      AND ("Event Message" ILIKE '%nwifi%' OR "Event Message" ILIKE '%wlan%')
    )
  )
LAST 1 HOURS

QRadar AQL query detecting CVE-2024-30078 exploitation indicators: unexpected child processes under WLAN service svchost, kernel crash events referencing nwifi/wlanext, and suspicious driver service registrations. Covers both exploitation and post-exploitation phases.

critical severity medium confidence

Data Sources

QRadar SIEM Windows Event Log DSM Sysmon DSM

Required Tables

events

False Positives

Legitimate IT management tools interfacing with WLAN service via svchost
Driver update utilities triggering service events during patching cycles
Non-exploitation kernel crashes due to hardware faults or driver incompatibilities
Security software performing wireless interface enumeration

Sumo Logic CSE

sql

_sourceCategory=windows*
| parse regex field=Message "(?<DriverName>nwifi\.sys|wlanext\.exe|wlansvc\.dll)" nodrop
| parse regex field=ParentImage "(?<ParentExe>[^\\]+)$" nodrop
| parse regex field=Image "(?<ChildExe>[^\\]+)$" nodrop
| where (
    (EventID in ("41", "1001", "6008") and !isEmpty(DriverName))
    or (EventID in ("7045", "7000", "7023") and (Message matches "*nwifi*" or Message matches "*wlan*"))
    or (ParentExe matches "svchost.exe" and Message matches "*wlansvc*" and ChildExe in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe"))
  )
| eval DetectionType = if(EventID in ("41", "1001", "6008"), "Wi-Fi Driver Crash",
    if(EventID in ("7045", "7000"), "Suspicious Driver Registration",
    "Shell Spawned from WLAN Service"))
| eval Severity = if(DetectionType == "Shell Spawned from WLAN Service", "Critical", "High")
| fields _sourceHost, _sourceCategory, EventID, Message, ParentExe, ChildExe, DriverName, DetectionType, Severity
| order by _messageTime desc

Sumo Logic query for CVE-2024-30078 detection across Windows event sources, identifying Wi-Fi driver crashes, suspicious service registrations involving nwifi/wlan components, and unexpected child process spawning from the WLAN svchost service.

critical severity medium confidence

Data Sources

Sumo Logic Windows Event Logs Sysmon

False Positives

Legitimate wireless driver updates triggering service restart and brief process activity
Enterprise wireless management platforms spawning diagnostic utilities via service context
Antivirus scanning nwifi.sys during active monitoring causing benign driver events
Faulty wireless hardware generating repeated crash events without exploitation

Google Chronicle / SecOps

yaral

rule cve_2024_30078_wifi_driver_rce {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2024-30078 Windows Wi-Fi Driver RCE exploitation indicators"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    (
      // Shell process spawned under WLAN service svchost
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.principal.process.file.full_path = /(?i)svchost\.exe$/
      and $e1.principal.process.command_line = /(?i)wlansvc/
      and $e1.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/
    )
    or
    (
      // Wi-Fi driver referenced in crash/error events
      $e1.metadata.event_type = "STATUS_UPDATE"
      and $e1.metadata.product_event_type = /(?i)(BugCheck|KernelPanic|UnexpectedShutdown)/
      and $e1.about.labels["description"] = /(?i)(nwifi\.sys|wlanext\.exe|wi-fi driver)/
    )
    or
    (
      // Suspicious driver service installation
      $e1.metadata.event_type = "SERVICE_UNSPECIFIED"
      and $e1.target.resource.name = /(?i)(nwifi|wlan)/
      and $e1.metadata.product_event_type = /(?i)(ServiceInstall|DriverLoad)/
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule for CVE-2024-30078 detection, covering three primary indicators: unexpected process spawning from WLAN service svchost, kernel crash events referencing Wi-Fi driver components, and suspicious Wi-Fi driver service installation activity.

critical severity medium confidence

Data Sources

Google Chronicle Windows Event Logs EDR telemetry

Required Tables

UDM Events

False Positives

Legitimate driver deployment pipelines installing or updating nwifi.sys via service management
Windows Subsystem features triggering transient WLAN service child processes
Kernel crash events from hardware instability on machines with faulty wireless adapters
Security tools enumerating wireless drivers and triggering service-related events

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = "svchost.exe"
| CommandHistory = /(?i)wlansvc/
| FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| eval ThreatType = "WiFiDriverRCE_PostExploit"
| eval CVE = "CVE-2024-30078"
| table timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, ParentCommandLine, ThreatType, CVE

// Alternative: Kernel crash / bugcheck referencing Wi-Fi driver
// #event_simpleName=BugCheck
// | BugCheckCode = *
// | DriverName in ("nwifi.sys", "wlanext.exe")
// | eval ThreatType = "WiFiDriverRCE_KernelCrash"
// | eval CVE = "CVE-2024-30078"

CrowdStrike Falcon Query Language detection for CVE-2024-30078: identifies post-exploitation shell processes launched from the WLAN service svchost context. Secondary pattern (commented) targets kernel BugCheck events associated with Wi-Fi driver components.

critical severity medium confidence

Data Sources

CrowdStrike Falcon EDR Process Telemetry

Required Tables

ProcessRollup2 BugCheck

False Positives

Legitimate PowerShell wireless management scripts invoked through the WLAN service
Enterprise MDM solutions spawning cmd.exe for wireless policy enforcement
Security baseline tools that enumerate wireless profiles using wlansvc context
Driver deployment scripts using svchost-mediated service control

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2024-30078 CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2024-30078

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox