Suspicious ArcSOC.exe Child Process
This rule detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
Sigma rule (View on GitHub)
1title: Suspicious ArcSOC.exe Child Process
2id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
3status: experimental
4description: |
5 This rule detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
6 ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
7 Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
8 service endpoint and remotely execute code from the ArcSOC.exe process.
9references:
10 - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
11 - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
12author: Micah Babinski
13date: 2025-11-25
14tags:
15 - attack.execution
16 - attack.t1059
17 - attack.t1203
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\ArcSOC.exe'
24 Image|endswith:
25 - '\rundll32.exe'
26 - '\regsvr32.exe'
27 - '\wscript.exe'
28 - '\cscript.exe'
29 - '\powershell.exe'
30 - '\cmd.exe'
31 - '\mshta.exe'
32 filter_cmd:
33 Image|endswith: '\cmd.exe'
34 CommandLine: 'cmd.exe /c "ver"'
35 filter_werfault:
36 Image|endswith: '\werfault.exe'
37 filter_esri_report_writer:
38 Image|endswith: '\ESRIErrorReportWriter.exe'
39 condition: selection and not 1 of filter_*
40falsepositives:
41 - Unknown
42level: low```
References
-
ReliaQuest threat research details how the Flax Typhoon APT group maintained year-long access to an ArcGIS system by turning trusted software into a backdoor.
Read More -
An ArcGIS Server site consists of several components that can optionally be distributed across multiple machines to increase computing power.
Read More
Related rules
- Suspicious Invocation of Shell via Rsync
- Suspicious Browser Child Process - MacOS
- CVE-2021-26858 Exchange Exploitation
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist