Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
Sigma rule (View on GitHub)
1title: Suspicious ArcSOC.exe Child Process
2id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
3status: experimental
4description: |
5 Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
6 ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
7 Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
8 service endpoint and remotely execute code from the ArcSOC.exe process.
9references:
10 - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
11 - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
12author: Micah Babinski
13date: 2025-11-25
14tags:
15 - attack.execution
16 - attack.t1059
17 - attack.t1203
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\ArcSOC.exe'
24 Image|endswith:
25 - '\cmd.exe'
26 - '\cscript.exe'
27 - '\mshta.exe'
28 - '\powershell.exe'
29 - '\pwsh.exe'
30 - '\regsvr32.exe'
31 - '\rundll32.exe'
32 - '\wmic.exe'
33 - '\wscript.exe'
34 filter_main_cmd:
35 Image|endswith: '\cmd.exe'
36 CommandLine: 'cmd.exe /c "ver"'
37 condition: selection and not 1 of filter_main_*
38falsepositives:
39 - Unknown
40level: high
References
-
ReliaQuest threat research details how the Flax Typhoon APT group maintained year-long access to an ArcGIS system by turning trusted software into a backdoor.
Read More -
An ArcGIS Server site consists of several components that can optionally be distributed across multiple machines to increase computing power.
Read More
Related rules
- Suspicious ArcSOC.exe Child Process
- Suspicious Invocation of Shell via Rsync
- Suspicious Browser Child Process - MacOS
- Linux Suspicious Child Process from Node.js - React2Shell
- Windows Suspicious Child Process from Node.js - React2Shell