The Reveal Platform
Intel Name: Suspicious arcsoc.exe child process
Date of Scan: December 22, 2025
Impact: High
Summary: Identifies script interpreters, command-line utilities, and other potentially suspicious child processes spawned by ArcSOC.exe. ArcSOC.exe is the process responsible for hosting ArcGIS Server REST services. If an attacker compromises an ArcGIS Server environment and deploys a malicious Server Object Extension (SOE), they can issue specially crafted requests to the affected service endpoint to achieve remote code execution within the ArcSOC.exe process.
