Detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in Elastic Security
Detects exploitation attempts of CVE-2024-30078, a critical Windows Wi-Fi Driver vulnerability (CWE-591: Sensitive Data Storage in Improperly Locked Memory) that allows unauthenticated remote code execution from an adjacent network. An attacker within Wi-Fi range can send specially crafted network packets to trigger memory corruption in the Windows Wi-Fi driver (nwifi.sys), potentially gaining SYSTEM-level code execution without user interaction. Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through 2022.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where process.parent.name == "svchost.exe" and
process.parent.args : "*wlansvc*" and
process.name in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")]
[network where process.name in ("cmd.exe", "powershell.exe", "rundll32.exe") and
network.direction == "outgoing" and
not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]EQL sequence detection for CVE-2024-30078 post-exploitation: identifies a shell process spawned under the WLAN service context (svchost -k wlansvc) followed within 5 minutes by an outbound network connection from that child process, suggesting successful code execution and C2 callback.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative PowerShell scripts invoked from scheduled tasks running under svchost
- Windows built-in diagnostics that spawn cmd.exe transiently during network troubleshooting
- Third-party wireless management tools making outbound connections after interacting with WLAN service
- False sequence matches during Windows Update when driver components briefly spawn processes
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WLAN Service Child Process Spawn (Post-Exploitation Indicator)
Expected signal: Sysmon EventID 1 (Process Create) with ParentImage=svchost.exe, ParentCommandLine containing '-k wlansvc', Image=cmd.exe. MDE DeviceProcessEvents showing InitiatingProcessCommandLine with 'wlansvc'.
- Test 2Wi-Fi Driver Version Audit for Vulnerability Assessment
Expected signal: DeviceEvents with ActionType=FileRead on nwifi.sys path. PowerShell script block logging (EventID 4104) capturing the enumeration commands. WMI activity logs showing Win32_SystemDriver query.
- Test 3Adjacent Network Malformed 802.11 Frame Injection (Controlled Lab)
Expected signal: On the target Windows host: Windows Event Log System EventID 41 or 1001 (BugCheck/kernel crash) if exploitation succeeds. Network capture on the target side shows malformed 802.11 frames from attacker MAC. Defender/EDR may log driver fault events referencing nwifi.sys.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.