← Back to Explore
sigmahighHunting
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Detection Query
selection:
Image|endswith: \ArcSOC.exe
TargetFilename|endswith:
- .ahk
- .aspx
- .au3
- .bat
- .cmd
- .dll
- .exe
- .hta
- .js
- .ps1
- .py
- .vbe
- .vbs
- .wsf
condition: selection
Author
Micah Babinski
Created
2025-11-25
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.defense-evasionattack.command-and-controlattack.persistenceattack.initial-accessattack.t1127attack.t1105attack.t1133
Raw Content
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.persistence
- attack.initial-access
- attack.t1127
- attack.t1105
- attack.t1133
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ArcSOC.exe'
TargetFilename|endswith:
- '.ahk'
- '.aspx'
- '.au3'
- '.bat'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.py'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Unlikely
level: high