[New WTFBin]: ArcGIS deploys whoami.exe

[Purp1eW0lf]

• Contributor Name: Dray Agha @Purp1eW0lf
• Application/Executable: ArcGIS, specifically two binaries: C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\javaw.exe andC:\Program Files\ArcGIS\Portal\framework\service\bin\ArcGISPortal.exe
• WTF Behavior Description: ArcGIS runs whoami.exe
• Link to Documentation of Behavior: Apparently, ArcGIS is checking the appropriate user who "can read / write to the required directories" [1]
• Please provide any images for additional evidence. I know other Defenders have been caught out by this weird activity [2]. But, ArcGIS spawning whoami is completely legitimate and authorised activity. Huntress telemetry shows ~60,000 in the last 15 hours. I would advice adding this very specific activity to an ignore list, so it does not trigger a detection.

[mttaggart]

Added in 408c01d665d8cd123d3d589ea3fb647247994de6. Thanks as always bud!