Is CCXProcess (node.exe) querying the Adobe system policy registry via cmd.exe normal behavior?
Hello,
We are currently experiencing a high volume of alerts in our SIEM (Elastic Security) related to a specific process behavior associated with Adobe Creative Cloud Experience.
The observed process chain is as follows:
Parent Process:
C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
Parent Command Line:
"...\node.exe" "...\js\main.js"
Child Process:
C:\WINDOWS\system32\cmd.exe
Command Executed:
C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\system32\reg.exe QUERY "HKLM\SOFTWARE\Policies\Adobe\CCXProcess""
We would like to confirm whether this behavior is expected.
Specifically, could you please confirm whether Adobe Creative Cloud Experience is designed to invoke cmd.exe and reg.exe to query the following registry key as part of its normal operation?
HKLM\SOFTWARE\Policies\Adobe\CCXProcess
If so, could you also confirm that this behavior is expected by design?
Your confirmation will help us accurately classify this activity and appropriately tune our SIEM detection rules.
Thank you in advance for your support.
Best regards,
