Detection rules › Splunk
Windows TinyCC Shellcode Execution
Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run. TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell |
| Defense Evasion | T1027 Obfuscated Files or Information, T1036 Masquerading |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Processes.process_path IN ("*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*") Processes.process="* -nostdlib*" Processes.process="* -run*" Processes.process IN ("*.c", "*conf.c*") Processes.process_name IN ("svchost.exe", "tcc.exe") BY Processes.action, Processes.dest, Processes.user, Processes.process, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process_name, Processes.process_id, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_integrity_level, Processes.process_path, Processes.original_file_name, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Image | in | "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Processes.process | eq |
|
Processes.process | in |
|
Processes.process_name | in |
|