Detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in IBM QRadar
Detects exploitation attempts of CVE-2024-30078, a critical Windows Wi-Fi Driver vulnerability (CWE-591: Sensitive Data Storage in Improperly Locked Memory) that allows unauthenticated remote code execution from an adjacent network. An attacker within Wi-Fi range can send specially crafted network packets to trigger memory corruption in the Windows Wi-Fi driver (nwifi.sys), potentially gaining SYSTEM-level code execution without user interaction. Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through 2022.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
logsourcename(logsourceid) AS LogSource,
"sourceip",
"destinationip",
username,
"Process Name" AS ProcessName,
"Parent Process Name" AS ParentProcess,
"Command" AS CommandLine,
QIDNAME(qid) AS EventName,
magnitude
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Event Log - Application', 'Sysmon')
AND (
(
"Parent Process Name" ILIKE '%svchost%'
AND "Command" ILIKE '%wlansvc%'
AND "Process Name" ILIKE ANY ('%cmd.exe%', '%powershell.exe%', '%wscript.exe%', '%mshta.exe%', '%rundll32.exe%')
)
OR (
EventID IN (41, 1001, 6008)
AND ("Event Message" ILIKE '%nwifi%' OR "Event Message" ILIKE '%wlanext%' OR "Event Message" ILIKE '%wi-fi driver%')
)
OR (
EventID IN (7045, 7000)
AND ("Event Message" ILIKE '%nwifi%' OR "Event Message" ILIKE '%wlan%')
)
)
LAST 1 HOURSQRadar AQL query detecting CVE-2024-30078 exploitation indicators: unexpected child processes under WLAN service svchost, kernel crash events referencing nwifi/wlanext, and suspicious driver service registrations. Covers both exploitation and post-exploitation phases.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT management tools interfacing with WLAN service via svchost
- Driver update utilities triggering service events during patching cycles
- Non-exploitation kernel crashes due to hardware faults or driver incompatibilities
- Security software performing wireless interface enumeration
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WLAN Service Child Process Spawn (Post-Exploitation Indicator)
Expected signal: Sysmon EventID 1 (Process Create) with ParentImage=svchost.exe, ParentCommandLine containing '-k wlansvc', Image=cmd.exe. MDE DeviceProcessEvents showing InitiatingProcessCommandLine with 'wlansvc'.
- Test 2Wi-Fi Driver Version Audit for Vulnerability Assessment
Expected signal: DeviceEvents with ActionType=FileRead on nwifi.sys path. PowerShell script block logging (EventID 4104) capturing the enumeration commands. WMI activity logs showing Win32_SystemDriver query.
- Test 3Adjacent Network Malformed 802.11 Frame Injection (Controlled Lab)
Expected signal: On the target Windows host: Windows Event Log System EventID 41 or 1001 (BugCheck/kernel crash) if exploitation succeeds. Network capture on the target side shows malformed 802.11 frames from attacker MAC. Defender/EDR may log driver fault events referencing nwifi.sys.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.