Suspicious Speech Runtime Binary Child Process

Original Source: [Sigma source]

Title: Suspicious Speech Runtime Binary Child Process
Status: experimental
Description:Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
References:
-https://github.com/rtecCyberSec/SpeechRuntimeMove
Author: andrewdanis
Date: 2025-10-23
modified:None
Tags:

-'attack.defense-evasion'
-'attack.lateral-movement'
-'attack.t1021.003'
-'attack.t1218'

Logsource:

category: process_creation
product: windows

Detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition:selection
Falsepositives:
-Unlikely.
Level: high

Sign Up to Personalize and Manage Your Detection

Suspicious Speech Runtime Binary Child Process