This rule is designed to detect potentially malicious child processes spawned by ArcSOC.exe, which is associated with ArcGIS Server REST services. The rule focuses on identifying various script interpreters and command-line tools that can be misused for remote code execution if an attacker successfully exploits the ArcGIS Server via an uploaded Server Object Extension (SOE). Once compromised, the attacker can craft requests to the service endpoint, leading to unauthorized code execution. The detection mechanism checks for processes that specifically have ArcSOC.exe as their parent process and filters out benign command executions, marking only those that deviate from expected behavior as suspicious. Emphasis is given to high-level detection to mitigate risks associated with this vector of attack.