Node.exe used by Adobe Creative Cloud Experience repetitively does Full Domain User enumeration

[Warlord711]

• Node.js Version: 6.12.3
• OS: Win 10
• Scope (install, code, runtime, meta, other?): other
• Module (and version) (if relevant):

While investing in an issue with a client system that does domain user enumeration every 30 seconds for like 30 Minutes after going online, I found that the node.exe is doing massive LDAP enumeration targeting both domain controllers and clients at is seems.

I checked the file integrity, it's unaltered, digitally signed and passed virustotal.com scan.
Why does the node.exe need to enumerate all domain users every 30 seconds ?

[bnoordhuis]

By whom is the executable signed? Adobe? If that's the case you should direct your question to them because they're probably distributing a modified copy of node.

[Warlord711]

No, signed by Node.js Ben Noordhuis <notifications@github.com> schrieb am Mo., 30. Sept. 2019, 15:04:

…

By whom is the executable signed? Adobe? If that's the case you should direct your question to them because they're probably distributing a modified copy of node. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2213?email_source=notifications&email_token=ADGP2EO56RPCH3L257SMJSDQMH2NBA5CNFSM4I3YW5U2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD75R6BA#issuecomment-536551172>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADGP2EJ3OL2D2LXTSWA4A2LQMH2NBANCNFSM4I3YW5UQ> .

[bnoordhuis]

Okay, but what script is it executing? Node.js itself is just a runtime, much like .NET or the JVM.

[vweevers]

@Warlord711 The script is in %ProgramFiles(x86)%\Adobe\Adobe Creative Cloud Experience\js\main.js (or similar, check the arguments passed to node.exe) and can be freely inspected. In the version that I'm looking at there's - among other things - a native addon that integrates with Adobe IMS which in turn uses LDAP. That would be my bet. In any case, it's not Node.js that's doing the LDAP enumeration.

[Warlord711]

Yes I came to same result. We reimaged the system and it did not happened on the system again. If one system behave different than all other, format and reinstall is the quickest solution. Vincent Weevers <notifications@github.com> schrieb am Sa., 19. Okt. 2019, 15:09:

…

@Warlord711 <https://github.com/Warlord711> The script is in %ProgramFiles(x86)%\Adobe\Adobe Creative Cloud Experience\js\main.js (or similar, check the arguments passed to node.exe) and can be freely inspected. In the version that I'm looking at there's - among other things - a native addon that integrates with Adobe IMS which in turn uses LDAP. That would be my bet. In any case, it's not Node.js that's doing the LDAP enumeration. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2213?email_source=notifications&email_token=ADGP2ELK7G42R5ITGN5R2EDQPMBHVA5CNFSM4I3YW5U2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBXPGEY#issuecomment-544142099>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADGP2EPKO6NLQIEV5IAXOIDQPMBHVANCNFSM4I3YW5UQ> .

[vweevers]

Good to close, then.