Suspicious Speech Runtime Binary Execution

### Description of the Idea of the Rule

```
title: Suspicious Speech Runtime Binary Execution
description: >
    This analytic looks for suspicious Speech Runtime Binary Execution, which is
    not a common parent process for other processes. Suspicious child processes
    spawned by speechruntime.exe could indicate an attempt to lateral movement
    via SpeechRuntime DCOM & COM Hijacking.
tags:
    - attack.defense_evasion
    - attack.t1218
    - attack.lateral_movement
    - attack.t1021.003
author: andrewdanis
references:
    - https://github.com/rtecCyberSec/SpeechRuntimeMove
logsource:
    category: process_creation
    product: windows
detection:
    condition: Section_1
    Section_1:
        ParentImage|endswith: '\speechruntime.exe'
falsepositives:
  - None noted. speechruntime seems to never legitimately spawn as a parent process.
level: high
status: test
```

### Public References / Example Event Log

https://github.com/rtecCyberSec/SpeechRuntimeMove


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

Suspicious Speech Runtime Binary Execution #5603

Description of the Idea of the Rule

Public References / Example Event Log

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Uh oh!

Suspicious Speech Runtime Binary Execution #5603

Description

Description of the Idea of the Rule

Public References / Example Event Log

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions