Detect CVE-2024-30078: Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in Sumo Logic CSE
Detects exploitation attempts of CVE-2024-30078, a critical Windows Wi-Fi Driver vulnerability (CWE-591: Sensitive Data Storage in Improperly Locked Memory) that allows unauthenticated remote code execution from an adjacent network. An attacker within Wi-Fi range can send specially crafted network packets to trigger memory corruption in the Windows Wi-Fi driver (nwifi.sys), potentially gaining SYSTEM-level code execution without user interaction. Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through 2022.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=windows*
| parse regex field=Message "(?<DriverName>nwifi\.sys|wlanext\.exe|wlansvc\.dll)" nodrop
| parse regex field=ParentImage "(?<ParentExe>[^\\]+)$" nodrop
| parse regex field=Image "(?<ChildExe>[^\\]+)$" nodrop
| where (
(EventID in ("41", "1001", "6008") and !isEmpty(DriverName))
or (EventID in ("7045", "7000", "7023") and (Message matches "*nwifi*" or Message matches "*wlan*"))
or (ParentExe matches "svchost.exe" and Message matches "*wlansvc*" and ChildExe in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe"))
)
| eval DetectionType = if(EventID in ("41", "1001", "6008"), "Wi-Fi Driver Crash",
if(EventID in ("7045", "7000"), "Suspicious Driver Registration",
"Shell Spawned from WLAN Service"))
| eval Severity = if(DetectionType == "Shell Spawned from WLAN Service", "Critical", "High")
| fields _sourceHost, _sourceCategory, EventID, Message, ParentExe, ChildExe, DriverName, DetectionType, Severity
| order by _messageTime descSumo Logic query for CVE-2024-30078 detection across Windows event sources, identifying Wi-Fi driver crashes, suspicious service registrations involving nwifi/wlan components, and unexpected child process spawning from the WLAN svchost service.
Data Sources
False Positives & Tuning
- Legitimate wireless driver updates triggering service restart and brief process activity
- Enterprise wireless management platforms spawning diagnostic utilities via service context
- Antivirus scanning nwifi.sys during active monitoring causing benign driver events
- Faulty wireless hardware generating repeated crash events without exploitation
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WLAN Service Child Process Spawn (Post-Exploitation Indicator)
Expected signal: Sysmon EventID 1 (Process Create) with ParentImage=svchost.exe, ParentCommandLine containing '-k wlansvc', Image=cmd.exe. MDE DeviceProcessEvents showing InitiatingProcessCommandLine with 'wlansvc'.
- Test 2Wi-Fi Driver Version Audit for Vulnerability Assessment
Expected signal: DeviceEvents with ActionType=FileRead on nwifi.sys path. PowerShell script block logging (EventID 4104) capturing the enumeration commands. WMI activity logs showing Win32_SystemDriver query.
- Test 3Adjacent Network Malformed 802.11 Frame Injection (Controlled Lab)
Expected signal: On the target Windows host: Windows Event Log System EventID 41 or 1001 (BugCheck/kernel crash) if exploitation succeeds. Network capture on the target side shows malformed 802.11 frames from attacker MAC. Defender/EDR may log driver fault events referencing nwifi.sys.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.