ArcGISPortal.exe

2023-09-13 by Dray Agha (@purp1ew0lf)

Not just bad guys run whoami.

ArcGISPortal.exe runs whoami.exe. I know other Defenders have been caught out by this weird activity. But, ArcGIS spawning whoami is completely legitimate and authorised activity. Huntress telemetry shows ~60,000 in the last 15 hours. I would advice adding this very specific activity to an ignore list, so it does not trigger a detection.

Documentation