Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Sigma rule (View on GitHub)
1title: Suspicious File Created by ArcSOC.exe
2id: e890acee-d488-420e-8f20-d9b19b3c3d43
3status: experimental
4description: |
5 Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
6 server, creates a file with suspicious file type, indicating that it may be an executable, script file,
7 or otherwise unusual.
8references:
9 - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
10 - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
11author: Micah Babinski
12date: 2025-11-25
13tags:
14 - attack.defense-evasion
15 - attack.command-and-control
16 - attack.persistence
17 - attack.initial-access
18 - attack.t1127
19 - attack.t1105
20 - attack.t1133
21logsource:
22 category: file_event
23 product: windows
24detection:
25 selection:
26 Image|endswith: '\ArcSOC.exe'
27 TargetFilename|endswith:
28 - '.ahk'
29 - '.aspx'
30 - '.au3'
31 - '.bat'
32 - '.cmd'
33 - '.dll'
34 - '.exe'
35 - '.hta'
36 - '.js'
37 - '.ps1'
38 - '.py'
39 - '.vbe'
40 - '.vbs'
41 - '.wsf'
42 condition: selection
43falsepositives:
44 - Unlikely
45level: high
References
-
ReliaQuest threat research details how the Flax Typhoon APT group maintained year-long access to an ArcGIS system by turning trusted software into a backdoor.
Read More -
An ArcGIS Server site consists of several components that can optionally be distributed across multiple machines to increase computing power.
Read More
Related rules
- ArcSOC.exe Creating Suspicious Files
- OpenCanary - Telnet Login Attempt
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP