Merge PR #5774 from @mbabinski - Added rules related to ArcGIS Server Object Extension abuse

new: Suspicious File Created by ArcSOC.exe
new: Suspicious ArcSOC.exe Child Process

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml

@@ -0,0 +1,45 @@
+title: Suspicious File Created by ArcSOC.exe
+id: e890acee-d488-420e-8f20-d9b19b3c3d43
+status: experimental
+description: |
+    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
+    server, creates a file with suspicious file type, indicating that it may be an executable, script file,
+    or otherwise unusual.
+references:
+    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
+    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
+author: Micah Babinski
+date: 2025-11-25
+tags:
+    - attack.defense-evasion
+    - attack.command-and-control
+    - attack.persistence
+    - attack.initial-access
+    - attack.t1127
+    - attack.t1105
+    - attack.t1133
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\ArcSOC.exe'
+        TargetFilename|endswith:
+            - '.ahk'
+            - '.aspx'
+            - '.au3'
+            - '.bat'
+            - '.cmd'
+            - '.dll'
+            - '.exe'
+            - '.hta'
+            - '.js'
+            - '.ps1'
+            - '.py'
+            - '.vbe'
+            - '.vbs'
+            - '.wsf'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_arcsoc_susp_child_process.yml

@@ -0,0 +1,40 @@
+title: Suspicious ArcSOC.exe Child Process
+id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
+status: experimental
+description: |
+    Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
+    ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
+    Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
+    service endpoint and remotely execute code from the ArcSOC.exe process.
+references:
+    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
+    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
+author: Micah Babinski
+date: 2025-11-25
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1203
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\ArcSOC.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
+    filter_main_cmd:
+        Image|endswith: '\cmd.exe'
+        CommandLine: 'cmd.exe /c "ver"'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high