ArcGISPortal.exe
Contributed By: Dray Agha (@purp1ew0lf)
ArcGISPortal.exe
runs whoami.exe
.
I know other Defenders have been caught out by this weird activity. But, ArcGIS spawning whoami is completely legitimate and authorised activity. Huntress telemetry shows ~60,000 in the last 15 hours. I would advice adding this very specific activity to an ignore list, so it does not trigger a detection.
![](https://user-images.githubusercontent.com/44196051/190622843-c9a71b04-492f-4634-9ecc-5cae6e04fd06.png)