* [Blog](https://www.paloaltonetworks.com/blog)
* [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja)
* Microsoft Exchange Server...

# Microsoft Exchange Serverを標的とした最近の攻撃の捜索

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F%3Flang%3Dja)  
[](https://twitter.com/share?text=Microsoft+Exchange+Server%E3%82%92%E6%A8%99%E7%9A%84%E3%81%A8%E3%81%97%E3%81%9F%E6%9C%80%E8%BF%91%E3%81%AE%E6%94%BB%E6%92%83%E3%81%AE%E6%8D%9C%E7%B4%A2&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F%3Flang%3Dja)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F%3Flang%3Dja&title=Microsoft+Exchange+Server%E3%82%92%E6%A8%99%E7%9A%84%E3%81%A8%E3%81%97%E3%81%9F%E6%9C%80%E8%BF%91%E3%81%AE%E6%94%BB%E6%92%83%E3%81%AE%E6%8D%9C%E7%B4%A2&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/?lang=ja&ts=markdown)  
\[\](mailto:?subject=Microsoft Exchange Serverを標的とした最近の攻撃の捜索)  
Link copied  
By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?lang=ja&ts=markdown "Posts by Unit 42")  
Mar 10, 2021  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown)  
[Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown)

This post is also available in: [English (英語)](https://www.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/ "英語(English)に切り替える")

## 概要

2021年3月2日、VolexityがMicrosoft Exchange Serverの4つの脆弱性、[CVE-2021-26855](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855)、[CVE-2021-26857](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857)、[CVE-2021-26858](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858)、[CVE-2021-27065](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065)について悪用が活発に見られると報告しました。これらの脆弱性が悪用された場合、攻撃者は、Microsoft Exchange Serverにアクセスし、被害環境への長期アクセスを容易にする追加ツールをインストールできるようになります。これらゼロデイ脆弱性を利用する脅威アクターは複数存在するとした[報告](https://twitter.com/ESETresearch/status/1366862948057178115?s=20)もあることから、ポストエクスプロイトアクティビティは脅威アクターの目的しだいで変わってくる可能性があります。

これらの脆弱性は、次のバージョンのMicrosoft Exchange Serverに影響します。

* Microsoft Exchange 2013
* Microsoft Exchange 2016
* Microsoft Exchange 2019

Microsoftは緊急の定例外[セキュリティ更新](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901)を公開し、これらの脆弱性に対する修正を提供しています。弊社は、すべてのMicrosoft Exchange Serverを、Microsoftがリリースした最新の修正を適用したバージョンにただちに更新することを強く推奨します。

このブログは、Cortex XDRを使用して、関連する侵害の痕跡（IOC）をプロアクティブに検索するのに役立ちます。

## 自社環境内でこの攻撃をハンティングするには

#### **侵害の兆候がないか既存のアラートを確認する**

Cortex XDRの既存のアラートを利用してIISプロセス w3wp.exe と Exchange ワーカープロセス UMWorkerProcess.exe からのアラートがあがっていないか探すことをお勧めします。

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-62.png?ts=markdown)  
[![Cortex XDR 図1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-62.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-62.png?ts=markdown)

そこから、Causality View にピボットしてさらにドリルダウンしていけます。

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-63.png?ts=markdown)  
[![Cortex XDR 図2 ドリルダウン](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-63.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-63.png?ts=markdown)

#### **Cortex XDR で XQL Searchを使って攻撃を探索する:**

[China Chopper Webシェル](https://attack.mitre.org/software/S0020/)には、 \[s\]\&cd\&echo \[e\] を使用する非常に明確なコマンドラインパターンがあります。これらのパターンは、次のクエリで検索できます。

dataset = xdr\_data |filter event\_sub\_type = PROCESS\_START and lowercase(action\_process\_image\_name) = "cmd.exe" and lowercase(actor\_process\_image\_name) = "w3wp.exe" |filter lowercase(action\_process\_image\_command\_line ) contains "\[s\]\&cd\&echo \[e\]" |fields agent\_hostname, agent\_version, actor\_effective\_username , action\_process\_image\_name, action\_process\_image\_command\_line,actor\_process\_image\_name, actor\_process\_image\_command\_line

|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 | dataset = xdr\_data |filter event\_sub\_type = PROCESS\_START and lowercase(action\_process\_image\_name) = "cmd.exe" and lowercase(actor\_process\_image\_name) = "w3wp.exe" |filter lowercase(action\_process\_image\_command\_line ) contains "\[s\]\&cd\&echo \[e\]" |fields agent\_hostname, agent\_version, actor\_effective\_username , action\_process\_image\_name, action\_process\_image\_command\_line,actor\_process\_image\_name, actor\_process\_image\_command\_line |

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-64.png?ts=markdown)  
[![Cortex XDR 図3 探索](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-64.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-64.png?ts=markdown)

Microsoft Internet Information Server（IIS）が ASPXファイルを Exchange や一般的な IIS のロード場所にドロップしている形跡があれば、それは Web シェルがドロップされているという兆候と考えてよいでしょう。

config case\_sensitive = false | dataset = xdr\_data | filter event\_type = FILE and event\_sub\_type in (FILE\_WRITE, FILE\_CREATE\_NEW) and action\_file\_extension = "aspx" and action\_file\_path ~= "(\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\|\\\\frontend\\\\httpproxy\\\\owa\\\\auth\\\\|\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\)" and action\_file\_path != "\*\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\timeoutlogoff.aspx" and actor\_process\_image\_name in ("UMWorkerProcess.exe", "w3wp.exe", "umservice.exe")

|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 | config case\_sensitive = false | dataset = xdr\_data | filter event\_type = FILE and event\_sub\_type in (FILE\_WRITE, FILE\_CREATE\_NEW) and action\_file\_extension = "aspx" and action\_file\_path ~= "(\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\|\\\\frontend\\\\httpproxy\\\\owa\\\\auth\\\\|\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\)" and action\_file\_path != "\*\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\timeoutlogoff.aspx" and actor\_process\_image\_name in ("UMWorkerProcess.exe", "w3wp.exe", "umservice.exe") |

IIS プロセスから探索用のコマンドを実行していれば、それは攻撃者がその環境を探ろうとしていることを示す兆候だと考えてさしつかえないでしょう。そうしたアクティビティがないかどうかを以下のクエリで探します。

dataset = xdr\_data |filter lowercase(causality\_actor\_process\_image\_name) = "w3wp.exe" and lowercase(actor\_process\_image\_name) in ("cmd.exe", "powershell.exe") and lowercase(action\_process\_image\_name) in ("net.exe", "quser.exe","certutil.exe", "arp.exe","hostname.exe", "whoami.exe", "netstat.exe", "ping.exe", "ipconfig.exe", "wmic.exe", "del.exe") |fields agent\_hostname, agent\_version, actor\_effective\_username , causality\_actor\_process\_image\_name, causality\_actor\_process\_command\_line , actor\_process\_image\_name, actor\_process\_command\_line, action\_process\_image\_name, action\_process\_image\_command\_line

|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 | dataset = xdr\_data |filter lowercase(causality\_actor\_process\_image\_name) = "w3wp.exe" and lowercase(actor\_process\_image\_name) in ("cmd.exe", "powershell.exe") and lowercase(action\_process\_image\_name) in ("net.exe", "quser.exe","certutil.exe", "arp.exe","hostname.exe", "whoami.exe", "netstat.exe", "ping.exe", "ipconfig.exe", "wmic.exe", "del.exe") |fields agent\_hostname, agent\_version, actor\_effective\_username , causality\_actor\_process\_image\_name, causality\_actor\_process\_command\_line , actor\_process\_image\_name, actor\_process\_command\_line, action\_process\_image\_name, action\_process\_image\_command\_line |

攻撃者は圧縮とメモリダンプを行い、C:\\programdata をステージング場所として漏出と資格情報アクセスのステージングを行います。以下のクエリを使い、そうしたアクティビティを実行しているサーバーを探します。

config case\_sensitive = false | dataset = xdr\_data |filter event\_type = FILE and event\_sub\_type in (FILE\_CREATE\_NEW, FILE\_WRITE) and agent\_os\_sub\_type contains "server" |filter action\_file\_path ~= "c:\\\\programdata\\\\\[a-zA-Z0-9\]+\\.(rar|zip|zipx|7z)" OR action\_file\_path ~= "(c:\\\\root\\\\\[a-zA-Z0-9\]+\\.dmp$|c:\\\\windows\\\\temp\\\\\[a-zA-Z0-9\]+\\.dmp$)"

|---------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 | config case\_sensitive = false | dataset = xdr\_data |filter event\_type = FILE and event\_sub\_type in (FILE\_CREATE\_NEW, FILE\_WRITE) and agent\_os\_sub\_type contains "server" |filter action\_file\_path ~= "c:\\\\programdata\\\\\[a-zA-Z0-9\]+\\.(rar|zip|zipx|7z)" OR action\_file\_path ~= "(c:\\\\root\\\\\[a-zA-Z0-9\]+\\.dmp$|c:\\\\windows\\\\temp\\\\\[a-zA-Z0-9\]+\\.dmp$)" |

Exchange ワーカープロセスは通常はサブプロセスを作成しませんが、エクスプロイトのなかにはこのプロセスをターゲットにしているものが1つあります。次の Cortex XDR XQLクエリがそうした場合の探索に役立ちます。

config case\_sensitive = false | dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and os\_actor\_process\_image\_name = "UMWorkerProcess.exe" | filter action\_process\_image\_name != "WerFault.exe" and action\_process\_image\_name != "wermgr.exe"

|---------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 | config case\_sensitive = false | dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and os\_actor\_process\_image\_name = "UMWorkerProcess.exe" | filter action\_process\_image\_name != "WerFault.exe" and action\_process\_image\_name != "wermgr.exe" |

#### **Cortex XSOAR でハンティングとレスポンスを行う**

Cortex XSOAR は「HAFNIUM -- Exchange 0-day exploits」というプレイブックを公開しました。このプレイブックは弊社Cortex XSOAR Marketplaceの*Rapid Breach Response* コンテンツパック内にあります。完全に自動化されたプレイブックは、以下を実行します。

* 脅威ハンティングプロセスで使用する指標の収集
* ファイアウォールログにクエリをかけて悪意のあるネットワークアクティビティを検出
* エンドポイントログで悪意のあるアクティビティを検索し侵害ホストを検出、Cortex XDRが有効になっていればプレイブックで上記で説明したアラートも検索
* さまざまなサードパーティツールのインジケータを遮断[![Cortex XSOAR 図 4 プレイブック](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/Screen-Shot-2021-03-04-at-9.10.36-PM.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/Screen-Shot-2021-03-04-at-9.10.36-PM.png?ts=markdown)

## この攻撃を検出するCortex XDRのアラート

|---------------------------|-------------------------------------------------------------------------------------|
| **ソース**                   | **説明**                                                                              |
| Cortex XDR Analytics BIOC | Uncommon net group execution（通常と異なる net group コマンドの実行）                              |
| Cortex XDR Analytics      | Multiple Discovery Commands（探索用コマンドの複数回の実行）                                         |
| Cortex XDR BIOC           | Exchange process writing aspx files（aspxファイルを書き込むExchangeプロセス）                      |
| Cortex XDR Agent          | Behavioral Threat Detected（振る舞いによる脅威を検出）                                            |
| Cortex XDR Agent          | Suspicious Process Creation（疑わしいプロセスの生成）                                            |
| Cortex XDR Analytics BIOC | Uncommon remote service start via sc.exe（通常と異なるsc.exe経由でのリモートサービス開始）                |
| Cortex XDR Analytics BIOC | Rare SSH Session（通常は見られないSSHセッション）                                                  |
| Cortex XDR Analytics BIOC | Uncommon ARP cache listing via arp.exe（通常見られないようなarp.exe経由のARPキャッシュのリスト化）           |
| Cortex XDR Analytics BIOC | Uncommon user management via net.exe（通常見られないようなnet.exe経由のユーザー管理）                    |
| Cortex XDR Analytics BIOC | WmiPrvSe.exe Rare Child Command Line（まれなWmiPrvSe.exeの子コマンドライン）                      |
| Cortex XDR Analytics BIOC | Script Connecting to Rare External Host（まれな外部ホストに接続するスクリプト）                         |
| Cortex XDR BIOC           | Remote process execution using WMI（WMIを使用したリモートプロセス実行）                              |
| Cortex XDR BIOC           | 64-bit PowerShell spawning a 32-bit PowerShell（32ビットPowerShellを生成する64ビットPowerShell） |
| Cortex XDR BIOC           | Suspicious PowerShell Command Line（疑わしいPowerShellコマンドライン）                           |
| Cortex XDR BIOC           | Dumping Registry hives with passwords（パスワードを含むレジストリハイブのダンプ）                         |

## 観測されたアクティビティ

攻撃者が次のパスでWebシェルファイルを作成する様子が観測されています。

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServerProxy.aspx  C:\\inetpub\\wwwroot\\aspnet\_client\\system\_web\\r1BMaJKT.aspx C:\\inetpub\\wwwroot\\aspnet\_client\\system\_web\\\[RANDOM\].aspx C:\\inetpub\\wwwroot\\aspnet\_client\\supp0rt.aspx C:\\inetpub\\wwwroot\\aspnet\_client\\discover.aspx |

また、攻撃者が次のコマンドを実行する様子も観測されています。

|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&net group "Exchange Organization administrators" administrator /del /domain\&echo \[S\]\&cd\&echo \[E\]  wmic /node:$NODE$ /user:$USER$ /password:$PASSWORD$ process call create "powershell -exec bypass -file c:\\programdata\\payloadDns.ps1" "cmd.exe" /c powershell -exec bypass -file c:\\programdata\\bot.ps1 net group "Exchange Servers" /DOMAIN cmd /c start c:\\windows\\temp\\xx.bat net group "Exchange Organization Administrators" /domain dsquery server -limit 0 net group \[REDUCATED\] /domain "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&arp -a\&echo \[S\]\&cd\&echo \[E\] net use \\\\\[REDUCATED\] \[PASSWORD\] /user:\[USER\] powershell.exe -PSconsoleFile "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\exshell.psc1" -Command ".'C:\\windows\\help\\help\\1.ps1′" nltest /domain\_trusts "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&wmic process call create "reg save hklm\\sam c:\\programdata\\$FILE\_NAME$.log \&echo \[S\]\&cd\&echo \[E\] |

## 結論

これらのゼロデイ脆弱性を悪用し、脆弱なMicrosoft Exchange Serverに対する脅威アクターの警戒すべきアクティビティが見られます。このため弊社は、すべてのMicrosoft Exchange ServerをMicrosoftがリリースした最新の修正を適用したバージョンにただちに更新することを強く推奨します。

これにくわえ、製品のバージョン、コンテンツのバージョンを最新のものに更新し、製品組み込みの既存保護メカニズムとこちらで提供したXQLクエリを使って脅威を探索することをお勧めします。

Unit42による脅威の評価は、[こちら](https://unit42.paloaltonetworks.jp/microsoft-exchange-server-vulnerabilities/)からお読みいただけます。

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services-ja/?lang=ja&ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown)

[#### Golden Ticket攻撃につながる活動をCortex XDRで検出・阻止](https://www.paloaltonetworks.com/blog/security-operations/detecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr/?lang=ja)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features-ja/?lang=ja&ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services-ja/?lang=ja&ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown)

[#### CortexXDRによるBronze Bit脆弱性からの保護](https://www.paloaltonetworks.com/blog/security-operations/bronze-bit-vulnerability-xdr/?lang=ja)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint/?lang=ja&ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events-ja/?lang=ja&ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features-ja/?lang=ja&ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services-ja/?lang=ja&ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown)

[#### APT29のスピアフィッシング攻撃をCortex XDRで検出する方法](https://www.paloaltonetworks.com/blog/security-operations/hunting-for-apt29-spear-phishing-using-xdr/?lang=ja)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention/?lang=ja&ts=markdown)

[#### log4j の脆弱性への対応を自動化・迅速化する方法](https://www.paloaltonetworks.com/blog/security-operations/automating-speeding-your-response-to-log4j-vulnerability/?lang=ja)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise-2/?lang=ja&ts=markdown), [視点](https://www.paloaltonetworks.com/blog/category/%e8%a6%96%e7%82%b9/?lang=ja&ts=markdown)

[#### ランサムウェア対策はインシデントの発生前に](https://www.paloaltonetworks.com/blog/2021/08/protect-against-ransomware/?lang=ja)

### [AI](https://www.paloaltonetworks.com/blog/category/ai/?lang=ja&ts=markdown), [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso-ja/?lang=ja&ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-jp/?lang=ja&ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must/?lang=ja&ts=markdown)

[#### 2025年以降のサイバーセキュリティの投資と施策はどうなるか](https://www.paloaltonetworks.com/blog/2024/12/cybersecurity-beyond-2025/?lang=ja)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language