This detection rule targets a vulnerability in the Windows SpeechRuntime that allows for lateral movement through COM Hijacking. By exploiting a susceptible COM class, an attacker can change the registry to invoke a malicious DLL when SpeechRuntime.exe is executed. If executed in the context of a logged-on user, this leads to remote code execution under that user's privileges. The rule captures instances of SpeechRuntime.exe loading DLLs from unexpected locations, focusing on alerts that could indicate a potential compromise. It utilizes Sysmon EventID 7 logs to detect these irregularities, particularly monitoring whether the loaded DLLs reside outside of the standard Windows system directory.