← Back to SOC feed Coverage →

Suspicious Speech Runtime Binary Child Process

sigma HIGH SigmaHQ
T1021.003T1218
imProcessCreate
lateral-movement
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-20T11:00:00Z · Confidence: low

Hunt Hypothesis

Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacki

Detection Rule

Sigma (Original)

title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
    Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
    Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
    - https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
    category: process_creation
    product: windows
tags:
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.003
    - attack.t1218
detection:
    selection:
        ParentImage|endswith: '\SpeechRuntime.exe'
    condition: selection
falsepositives:
    - Unlikely.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ParentProcessName endswith "\\SpeechRuntime.exe" or ActingProcessName endswith "\\SpeechRuntime.exe"

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml