Detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in CrowdStrike LogScale
Detects exploitation attempts of CVE-2024-30078, a critical Windows Wi-Fi Driver vulnerability (CWE-591: Sensitive Data Storage in Improperly Locked Memory) that allows unauthenticated remote code execution from an adjacent network. An attacker within Wi-Fi range can send specially crafted network packets to trigger memory corruption in the Windows Wi-Fi driver (nwifi.sys), potentially gaining SYSTEM-level code execution without user interaction. Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through 2022.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ParentBaseFileName = "svchost.exe"
| CommandHistory = /(?i)wlansvc/
| FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| eval ThreatType = "WiFiDriverRCE_PostExploit"
| eval CVE = "CVE-2024-30078"
| table timestamp, ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, ParentCommandLine, ThreatType, CVE
// Alternative: Kernel crash / bugcheck referencing Wi-Fi driver
// #event_simpleName=BugCheck
// | BugCheckCode = *
// | DriverName in ("nwifi.sys", "wlanext.exe")
// | eval ThreatType = "WiFiDriverRCE_KernelCrash"
// | eval CVE = "CVE-2024-30078"CrowdStrike Falcon Query Language detection for CVE-2024-30078: identifies post-exploitation shell processes launched from the WLAN service svchost context. Secondary pattern (commented) targets kernel BugCheck events associated with Wi-Fi driver components.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PowerShell wireless management scripts invoked through the WLAN service
- Enterprise MDM solutions spawning cmd.exe for wireless policy enforcement
- Security baseline tools that enumerate wireless profiles using wlansvc context
- Driver deployment scripts using svchost-mediated service control
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WLAN Service Child Process Spawn (Post-Exploitation Indicator)
Expected signal: Sysmon EventID 1 (Process Create) with ParentImage=svchost.exe, ParentCommandLine containing '-k wlansvc', Image=cmd.exe. MDE DeviceProcessEvents showing InitiatingProcessCommandLine with 'wlansvc'.
- Test 2Wi-Fi Driver Version Audit for Vulnerability Assessment
Expected signal: DeviceEvents with ActionType=FileRead on nwifi.sys path. PowerShell script block logging (EventID 4104) capturing the enumeration commands. WMI activity logs showing Win32_SystemDriver query.
- Test 3Adjacent Network Malformed 802.11 Frame Injection (Controlled Lab)
Expected signal: On the target Windows host: Windows Event Log System EventID 41 or 1001 (BugCheck/kernel crash) if exploitation succeeds. Network capture on the target side shows malformed 802.11 frames from attacker MAC. Defender/EDR may log driver fault events referencing nwifi.sys.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.