sigmahighHunting

Suspicious Speech Runtime Binary Child Process

Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.

MITRE ATT&CK

T1021.003 T1218

defense-evasionlateral-movement

Detection Query

selection:
  ParentImage|endswith: \SpeechRuntime.exe
condition: selection

Author

andrewdanis

Created

2025-10-23

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/rtecCyberSec/SpeechRuntimeMove

Tags

attack.defense-evasionattack.lateral-movementattack.t1021.003attack.t1218

Raw Content

title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
    Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
    Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
    - https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
    category: process_creation
    product: windows
tags:
    - attack.defense-evasion
    - attack.lateral-movement
    - attack.t1021.003
    - attack.t1218
detection:
    selection:
        ParentImage|endswith: '\SpeechRuntime.exe'
    condition: selection
falsepositives:
    - Unlikely.
level: high