ArcSOC.exe Creating Suspicious Files
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates files with suspicious file types, indicating that they may be executables, script files, or otherwise unusual.
Sigma rule (View on GitHub)
1title: ArcSOC.exe Creating Suspicious Files
2id: e890acee-d488-420e-8f20-d9b19b3c3d43
3status: experimental
4description: |
5 Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
6 server, creates files with suspicious file types, indicating that they may be executables, script files,
7 or otherwise unusual.
8references:
9 - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
10 - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
11author: Micah Babinski
12date: 2025-11-25
13tags:
14 - attack.defense-evasion
15 - attack.command-and-control
16 - attack.persistence
17 - attack.t1127
18 - attack.t1105
19 - attack.t1133
20logsource:
21 category: file_event
22 product: windows
23detection:
24 selection:
25 Image|endswith: '\ArcSOC.exe'
26 TargetFilename|endswith:
27 - '.exe'
28 - '.dll'
29 - '.ps1'
30 - '.py'
31 - '.vbs'
32 - '.hta'
33 - '.cmd'
34 - '.bat'
35 - '.wsf'
36 - '.js'
37 - '.ahk'
38 - '.au3'
39 - '.aspx'
40 condition: selection
41falsepositives:
42 - Unknown
43level: low```
References
-
ReliaQuest threat research details how the Flax Typhoon APT group maintained year-long access to an ArcGIS system by turning trusted software into a backdoor.
Read More -
An ArcGIS Server site consists of several components that can optionally be distributed across multiple machines to increase computing power.
Read More
Related rules
- OpenCanary - Telnet Login Attempt
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Bitsadmin to Uncommon TLD
- Download from Suspicious Dyndns Hosts
- Browser Execution In Headless Mode