Detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in Google Chronicle
Detects exploitation attempts of CVE-2024-30078, a critical Windows Wi-Fi Driver vulnerability (CWE-591: Sensitive Data Storage in Improperly Locked Memory) that allows unauthenticated remote code execution from an adjacent network. An attacker within Wi-Fi range can send specially crafted network packets to trigger memory corruption in the Windows Wi-Fi driver (nwifi.sys), potentially gaining SYSTEM-level code execution without user interaction. Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through 2022.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_30078_wifi_driver_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2024-30078 Windows Wi-Fi Driver RCE exploitation indicators"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30078"
yara_version = "YL2.0"
rule_version = "1.0"
events:
(
// Shell process spawned under WLAN service svchost
$e1.metadata.event_type = "PROCESS_LAUNCH"
and $e1.principal.process.file.full_path = /(?i)svchost\.exe$/
and $e1.principal.process.command_line = /(?i)wlansvc/
and $e1.target.process.file.full_path = /(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$/
)
or
(
// Wi-Fi driver referenced in crash/error events
$e1.metadata.event_type = "STATUS_UPDATE"
and $e1.metadata.product_event_type = /(?i)(BugCheck|KernelPanic|UnexpectedShutdown)/
and $e1.about.labels["description"] = /(?i)(nwifi\.sys|wlanext\.exe|wi-fi driver)/
)
or
(
// Suspicious driver service installation
$e1.metadata.event_type = "SERVICE_UNSPECIFIED"
and $e1.target.resource.name = /(?i)(nwifi|wlan)/
and $e1.metadata.product_event_type = /(?i)(ServiceInstall|DriverLoad)/
)
condition:
$e1
}Chronicle YARA-L 2.0 rule for CVE-2024-30078 detection, covering three primary indicators: unexpected process spawning from WLAN service svchost, kernel crash events referencing Wi-Fi driver components, and suspicious Wi-Fi driver service installation activity.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate driver deployment pipelines installing or updating nwifi.sys via service management
- Windows Subsystem features triggering transient WLAN service child processes
- Kernel crash events from hardware instability on machines with faulty wireless adapters
- Security tools enumerating wireless drivers and triggering service-related events
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WLAN Service Child Process Spawn (Post-Exploitation Indicator)
Expected signal: Sysmon EventID 1 (Process Create) with ParentImage=svchost.exe, ParentCommandLine containing '-k wlansvc', Image=cmd.exe. MDE DeviceProcessEvents showing InitiatingProcessCommandLine with 'wlansvc'.
- Test 2Wi-Fi Driver Version Audit for Vulnerability Assessment
Expected signal: DeviceEvents with ActionType=FileRead on nwifi.sys path. PowerShell script block logging (EventID 4104) capturing the enumeration commands. WMI activity logs showing Win32_SystemDriver query.
- Test 3Adjacent Network Malformed 802.11 Frame Injection (Controlled Lab)
Expected signal: On the target Windows host: Windows Event Log System EventID 41 or 1001 (BugCheck/kernel crash) if exploitation succeeds. Network capture on the target side shows malformed 802.11 frames from attacker MAC. Defender/EDR may log driver fault events referencing nwifi.sys.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.