Cisco AnyConnect: Diagnose Connection Issues, WHOAMI as system

mttaggart / wtfbins

WTF are these binaries doing?! A list of benign applications that mimic malicious behavior.

MIT License

150 stars 12 forks source link

Cisco AnyConnect: Diagnose Connection Issues, WHOAMI as system #12

Open no2aq opened 2 years ago

no2aq commented 2 years ago

**Contributor Name: no2aq
**Application/Executable: Cisco AnyConnect
**WTF Behavior Description: If an end user runs Diagnostics from the Cisco AnyConnect agent, this will run WHOAMI as System.
Link to Documentation of Behavior:

c:\program files (x86)\cisco\cisco anyconnect secure mobility client\opswat\wadiagnose.exe is the parent process that calls it.

Only seen if running Sysmon.

Tested on Cisco AnyConnect Agent v.4.9.06037

mttaggart commented 2 years ago

@no2aq,

Thank you for this submission! It seems promising. But in order to be approved, we do need a link to documentation of the behavior. If no official documentation exists, this is your chance to do a writeup showing the WTFBin in action! Once completed, link it here and we'll move forward.