Date: 12/22/2025
Severity: High
Summary
Identifies script interpreters, command-line utilities, and other potentially suspicious child processes spawned by ArcSOC.exe. ArcSOC.exe is the process responsible for hosting ArcGIS Server REST services. If an attacker compromises an ArcGIS Server environment and deploys a malicious Server Object Extension (SOE), they can issue specially crafted requests to the affected service endpoint to achieve remote code execution within the ArcSOC.exe process.
Indicators of Compromise (IOC) List
Processname : | - '\cmd.exe' - '\cscript.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\regsvr32.exe' - '\rundll32.exe' - '\wmic.exe' - '\wscript.exe' - '\cmd.exe' |
Parent Processname : | - ArcSOC.exe |
Commandline : | 'cmd.exe /c "ver"' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename = "Windows Security" AND eventtype = "4688" AND (processname IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wmic.exe","\wscript.exe") and (parentprocessname like "\ArcSOC.exe")) and (processname not like "\cmd.exe" and commandline not like "cmd.exe /c ver") |
Detection Query 2 | technologygroup = "EDR" AND (processname IN ("\cmd.exe","\cscript.exe","\mshta.exe","\powershell.exe","\pwsh.exe","\regsvr32.exe","\rundll32.exe","\wmic.exe","\wscript.exe") and (parentprocessname like "\ArcSOC.exe")) and (processname not like "\cmd.exe" and commandline not like "cmd.exe /c ver") |
Reference:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_arcsoc_susp_child_process.yml