Skip to content

Hide Navigation Hide TOC

Suspicious ArcSOC.exe Child Process (8e95e73e-ba02-4a87-b4d7-0929b8053038)

Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.

Cluster A Galaxy A Cluster B Galaxy B Level
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Suspicious ArcSOC.exe Child Process (8e95e73e-ba02-4a87-b4d7-0929b8053038) Sigma-Rules 1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Suspicious ArcSOC.exe Child Process (8e95e73e-ba02-4a87-b4d7-0929b8053038) Sigma-Rules 1