Application/Executable: ArcGIS, specifically two binaries: C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\javaw.exe andC:\Program Files\ArcGIS\Portal\framework\service\bin\ArcGISPortal.exe
WTF Behavior Description: ArcGIS runs whoami.exe
Link to Documentation of Behavior: Apparently, ArcGIS is checking the appropriate user who "can read / write to the required directories" [1]
Please provide any images for additional evidence.
I know other Defenders have been caught out by this weird activity [2]. But, ArcGIS spawning whoami is completely legitimate and authorised activity. Huntress telemetry shows ~60,000 in the last 15 hours. I would advice adding this very specific activity to an ignore list, so it does not trigger a detection.
C:\Program Files\ArcGIS\Portal\framework\runtime\jre\bin\javaw.exe
andC:\Program Files\ArcGIS\Portal\framework\service\bin\ArcGISPortal.exe