Detectionhighexperimental

Suspicious Speech Runtime Binary Child Process

Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

andrewdanisCreated Thu Oct 2378f10490-f2f4-4d19-a75b-4e0683bf3b8dwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\SpeechRuntime.exe'
    condition: selection

False Positives

Unlikely.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0008 · Lateral Movement

Techniques

T1218 · System Binary Proxy Execution

Sub-techniques

T1021.003 · Distributed Component Object Model

Rule Metadata

Rule ID

78f10490-f2f4-4d19-a75b-4e0683bf3b8d

Status

experimental

Level

high

Type

Detection

Created

Thu Oct 23

Author

andrewdanis

Path

rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml

Raw Tags

attack.defense-evasionattack.lateral-movementattack.t1021.003attack.t1218

View on GitHub