detection.wiki

Detection rules › Sigma

Suspicious File Created by ArcSOC.exe

Severity
high
Author
Micah Babinski
Source
upstream

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1133 External Remote Services
PersistenceT1133 External Remote Services
Defense EvasionT1127 Trusted Developer Utilities Proxy Execution
Command & ControlT1105 Ingress Tool Transfer

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
TargetFilename|endswith: .ahk
TargetFilename|endswith: .aspx
TargetFilename|endswith: .au3
TargetFilename|endswith: .bat
TargetFilename|endswith: .cmd
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .js
TargetFilename|endswith: .ps1
TargetFilename|endswith: .py
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|endswith: .wsf
Image|endswith: '\ArcSOC.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \ArcSOC.exe
TargetFilenameends_with
  • .ahk
  • .aspx corpus 5 (sigma 5)
  • .au3
  • .bat corpus 15 (sigma 15)
  • .cmd corpus 8 (sigma 8)
  • .dll corpus 21 (sigma 21)
  • .exe corpus 18 (sigma 18)
  • .hta corpus 12 (sigma 12)
  • .js corpus 8 (sigma 8)
  • .ps1 corpus 15 (sigma 15)
  • .py corpus 2 (sigma 2)
  • .vbe corpus 13 (sigma 13)
  • .vbs corpus 16 (sigma 16)
  • .wsf corpus 6 (sigma 6)