This rule detects abuse of the Tiny-C-Compiler (TinyCC) to perform on-the-fly shellcode execution by renaming tcc.exe to masquerade as svchost.exe and compiling/executing C source files that contain shellcode. The technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and invoked it with flags like -nostdlib -run to compile a .c file (including conf.c) containing shellcode. TinyCC is legitimate, but its ability to compile and execute code at runtime makes it attractive for attackers to evade detection when combined with a renamed binary, execution from non-standard locations, and suspicious command-line arguments. The detection relies on process-creation events (Sysmon EventID 1 and Windows Security 4688) and checks for: process_name in (svchost.exe, tcc.exe), command_line containing "-nostdlib" and "-run", and referenced source files ending in .c (including *conf.c). It excludes typical System32/SysWOW64 execution paths to reduce noise, and leverages the OriginalFileName field to distinguish between legitimate svchost.exe and a renamed tcc.exe. The rule is mapped to MITRE techniques T1059.003 (Windows Command Shell/Command-Line), T1027 (Obfuscated/Compressed Files and Information), and T1036 (Masquerading). When triggered, it highlights the destination, user, and the suspicious process/command details for investigation. The description notes that legitimate TinyCC usage by developers can trigger false positives, especially when used from non-standard directories with unusual flags, and recommends reviewing the environment, validating binary provenance, and applying whitelists where appropriate. Implementing requires endpoint logs with process creation data and full command-line capture, with Sysmon configured (at least Sysmon 6.0.4) and EventCode 1 enabled, ensuring OriginalFileName is populated to differentiate genuine svchost.exe from a renamed tcc.exe.