Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
Sigma rule (View on GitHub)
1title: Suspicious Speech Runtime Binary Child Process
2id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
3status: experimental
4description: |
5 Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
6 Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
7references:
8 - https://github.com/rtecCyberSec/SpeechRuntimeMove
9author: andrewdanis
10date: 2025-10-23
11logsource:
12 category: process_creation
13 product: windows
14tags:
15 - attack.defense-evasion
16 - attack.lateral-movement
17 - attack.t1021.003
18 - attack.t1218
19detection:
20 selection:
21 ParentImage|endswith: '\SpeechRuntime.exe'
22 condition: selection
23falsepositives:
24 - Unlikely.
25level: high
References
-
Lateral Movement as loggedon User via Speech Named Pipe COM & ISpeechNamedPipe + COM Hijacking - rtecCyberSec/SpeechRuntimeMove
Read More
Related rules
- BaaUpdate.exe Suspicious DLL Load
- Suspicious BitLocker Access Agent Update Utility Execution
- Winrs Local Command Execution
- Potential Exploitation of RCE Vulnerability CVE-2025-33053
- Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load