Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Sigma rule (View on GitHub)
1title: Suspicious File Created by ArcSOC.exe
2id: e890acee-d488-420e-8f20-d9b19b3c3d43
3status: experimental
4description: |
5 Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
6 server, creates a file with suspicious file type, indicating that it may be an executable, script file,
7 or otherwise unusual.
8references:
9 - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
10 - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
11author: Micah Babinski
12date: 2025-11-25
13tags:
14 - attack.command-and-control
15 - attack.persistence
16 - attack.initial-access
17 - attack.execution
18 - attack.stealth
19 - attack.t1127
20 - attack.t1105
21 - attack.t1133
22logsource:
23 category: file_event
24 product: windows
25detection:
26 selection:
27 Image|endswith: '\ArcSOC.exe'
28 TargetFilename|endswith:
29 - '.ahk'
30 - '.aspx'
31 - '.au3'
32 - '.bat'
33 - '.cmd'
34 - '.dll'
35 - '.exe'
36 - '.hta'
37 - '.js'
38 - '.ps1'
39 - '.py'
40 - '.vbe'
41 - '.vbs'
42 - '.wsf'
43 condition: selection
44falsepositives:
45 - Unlikely
46level: high
References
Related rules
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- OpenCanary - Telnet Login Attempt
- Scheduled Task Creation with Curl and PowerShell Execution Combo