Suspicious File Created by ArcSOC.exe

Hunt Hypothesis

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable,

Detection Rule

Sigma (Original)

title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
    server, creates a file with suspicious file type, indicating that it may be an executable, script file,
    or otherwise unusual.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.defense-evasion
    - attack.command-and-control
    - attack.persistence
    - attack.initial-access
    - attack.t1127
    - attack.t1105
    - attack.t1133
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ArcSOC.exe'
        TargetFilename|endswith:
            - '.ahk'
            - '.aspx'
            - '.au3'
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.py'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imFileEvent
| where TargetFilePath endswith "\\ArcSOC.exe" and (TargetFileName endswith ".ahk" or TargetFileName endswith ".aspx" or TargetFileName endswith ".au3" or TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".js" or TargetFileName endswith ".ps1" or TargetFileName endswith ".py" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".wsf")

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Tactic: Command and Control
• Tactic: Persistence
• Tactic: Initial Access
• Technique: T1127 — Trusted Developer Utilities Proxy Execution

  Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute

• Technique: T1105 — Ingress Tool Transfer

  Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network th

• Technique: T1133 — External Remote Services

  Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect t

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1127 — Trusted Developer Utilities Proxy Execution
• T1105 — Ingress Tool Transfer
• T1133 — External Remote Services

References

• https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
• https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
• SigmaHQ Rule