Suspicious File Created by ArcSOC.exe

    Wednesday, December 24, 2025 In: Threat Research Print

    Date: 12/24/2025

    Severity: High

    Summary

    Identifies cases where the ArcGIS Server process (ArcSOC.exe), responsible for hosting REST services, creates files with suspicious types that may indicate executables, scripts, or other anomalous files.

    Indicators of Compromise (IOC) List

    Image :

    \ArcSOC.exe

    Targetfilename :

    - '.ahk'

    - '.aspx'

    - '.au3'

    - '.bat'

    - '.cmd'

    - '.dll'

    - '.exe'

    - '.hta'

    - '.js'

    - '.ps1'

    - '.py'

    - '.vbe'

    - '.vbs'

    - '.wsf'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename = "Windows Security" AND eventtype = "4663" AND processname like "\ArcSOC.exe" and objectname in (".ahk",".aspx",".au3",".bat",".cmd",".dll",".exe",".hta",".js",".ps1",".py",".vbe",".vbs",".wsf")

    Detection Query 2

    technologygroup = "EDR" AND processname like "\ArcSOC.exe" and objectname in (".ahk",".aspx",".au3",".bat",".cmd",".dll",".exe",".hta",".js",".ps1",".py",".vbe",".vbs",".wsf")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml


    Tags

    SigmaMalwareArcSOC.exe

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.