Suspicious ArcSOC.exe Child Process

Hunt Hypothesis

Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromise

Detection Rule

Sigma (Original)

title: Suspicious ArcSOC.exe Child Process
id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
status: experimental
description: |
    Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
    ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
    Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
    service endpoint and remotely execute code from the ArcSOC.exe process.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.execution
    - attack.t1059
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ArcSOC.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine: 'cmd.exe /c "ver"'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\ArcSOC.exe" or ActingProcessName endswith "\\ArcSOC.exe") and (TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\wmic.exe" or TargetProcessName endswith "\\wscript.exe")) and (not((TargetProcessName endswith "\\cmd.exe" and TargetProcessCommandLine =~ "cmd.exe /c \"ver\"")))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Execution
• Technique: T1059 — Command and Scripting Interpreter

  Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu

• Technique: T1203 — Exploitation for Client Execution

  Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior.

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1059 — Command and Scripting Interpreter

References

• https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
• https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
• SigmaHQ Rule