Renamed TinyCC (TCC) Compiler Execution

Rule Info

Name
Renamed TinyCC (TCC) Compiler Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of a renamed TinyCC (TCC) Compiler (tcc.exe) Attackers have been observed renaming tcc.exe to masquerade as legitimate Windows binaries (e.g., svchost.exe) to compile and execute malicious C code in memory, such as shellcode loaders. This technique was observed in Chrysalis backdoor attacks.
Reference
https://www.rapid7.com/blog/post/2024/10/02/mdr-in-action-preventing-the-spread-of-the-chrysalis-implant/
Date
2026-02-03 00:00:00
Modified
None
Id
8a7b9c2d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
Tags
attack.defense-evasion attack.t1036.003 attack.execution attack.t1059 attack.t1027.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022