Detect Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in Splunk
CVE-2024-30078 is a high-severity (CVSS 8.8) remote code execution vulnerability in the Windows Wi-Fi Driver. An unauthenticated attacker within Wi-Fi radio range of a target can execute arbitrary code on the victim's device by sending a specially crafted network packet. No user interaction is required. The attack vector is 'Adjacent Network' (AV:A), meaning the attacker must be on the same network segment or within Wi-Fi broadcast range. All supported Windows versions are affected (Windows 10, 11, Server 2008–2022). This vulnerability is particularly relevant for SMB environments where employees work in shared offices, co-working spaces, hotels, or coffee shops — any shared Wi-Fi environment with other devices in range becomes a potential attack surface. Despite no confirmed in-the-wild exploitation at time of disclosure, the lack of user interaction makes it a high-priority patch.
MITRE ATT&CK
- Tactic
- Initial Access Execution
SPL Detection Query
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational",
"WinEventLog:Microsoft-Windows-WLAN-AutoConfig/Operational",
"crowdstrike:events:sensor")
(
(
(EventCode=1 OR event_simpleName="ProcessRollup2")
AND ParentImage IN ("*\\wlanext.exe", "*\\svchost.exe")
AND match(ParentCommandLine, "(?i)(wlansvc|nativewifi|dot3svc|WLANSVC)")
AND Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\wscript.exe",
"*\\mshta.exe", "*\\rundll32.exe")
)
OR
(
EventCode IN (11001, 11002, 11004, 11005)
AND match(_raw, "(?i)(ad.hoc|IBSS|open network|insecure)")
)
)
| eval CVE="CVE-2024-30078"
| eval ThreatType=case(
EventCode=1, "WiFi-Service-Spawned-Shell",
EventCode IN (11001,11002,11004,11005), "Insecure-WiFi-Connection",
true(), "WiFi-Anomaly"
)
| stats count AS Events,
values(Image) AS ChildProcesses,
values(CommandLine) AS Commands,
values(ParentCommandLine) AS ParentCommands
BY host, user, CVE, ThreatType, _time span=1h
| where Events >= 1
| table _time, host, user, ThreatType, ChildProcesses, Commands, Events, CVE
| sort - EventsDetects post-exploitation indicators for CVE-2024-30078: scripting interpreters or shells spawned by Windows Wi-Fi service host processes (wlanext.exe, svchost.exe running WLANSVC), and WLAN AutoConfig operational events indicating connections to insecure or ad-hoc networks where proximity attacks are feasible.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Corporate Wi-Fi management agents running as svchost services post-connection
- MDM enrollment scripts triggered after connecting to onboarding SSIDs
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Monitor Wi-Fi service for anomalous child process creation
Expected signal: Sysmon Event ID 1 — cmd.exe spawned in Wi-Fi service execution context.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.