* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Hunting for the Recent At... # Hunting for the Recent Attacks Targeting Microsoft Exchange [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F) [](https://twitter.com/share?text=Hunting+for+the+Recent+Attacks+Targeting+Microsoft+Exchange&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fattacks-targeting-microsoft-exchange%2F&title=Hunting+for+the+Recent+Attacks+Targeting+Microsoft+Exchange&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/&ts=markdown) \[\](mailto:?subject=Hunting for the Recent Attacks Targeting Microsoft Exchange) Link copied By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42") Mar 03, 2021 8 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [microsoft exchange server](https://www.paloaltonetworks.com/blog/tag/microsoft-exchange-server/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/security-operations/attacks-targeting-microsoft-exchange/?lang=ja "Switch to Japanese(日本語)") ## Executive Summary March 16 Update: A detailed timeline of protections released across our Cortex XDR products has been added to this blog post. On March 2, 2021, Volexity reported the in-the-wild exploitation of four Microsoft Exchange Server vulnerabilities: [CVE-2021-26855](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855), [CVE-2021-26857](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857), [CVE-2021-26858](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858) and [CVE-2021-27065](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065). As a result of these vulnerabilities being exploited, adversaries can access Microsoft Exchange servers and allow the installation of additional tools to facilitate long-term access into victims' environments. There has also been a [report](https://twitter.com/ESETresearch/status/1366862948057178115?s=20) of multiple threat actors leveraging these zero-day vulnerabilities, meaning post-exploitation activity may vary depending on the purpose of the different threat actors. These vulnerabilities affect the following Microsoft Exchange Server versions: * Microsoft Exchange 2013. * Microsoft Exchange 2016. * Microsoft Exchange 2019. Microsoft has released an emergency out-of-band [security update](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901) to patch these vulnerabilities. We strongly advise immediately updating all Microsoft Exchange servers to the latest available patched versions released by Microsoft. This blog will help you proactively search for related indicators of compromise (IOCs) using Cortex XDR. ## Hunting for this Attack in Your Environment #### **Review existing alerts for signs of compromise** Leveraging the existing alerts in Cortex XDR, we suggest hunting for alerts from the IIS process, w3wp.exe, and the exchange worker process, UMWorkerProcess.exe. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-62.png) From there, we can pivot to a causality screen to drill deeper: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-63.png) #### **Hunt for the attack using XQL Search in Cortex XDR:** The [China Chopper webshell](https://attack.mitre.org/software/S0020/) has very distinct command line patterns that use \[s\]\&cd\&echo \[e\].You can look for these patterns with the following query: dataset = xdr\_data |filter event\_sub\_type = PROCESS\_START and lowercase(action\_process\_image\_name) = "cmd.exe" and lowercase(actor\_process\_image\_name) = "w3wp.exe" |filter lowercase(action\_process\_image\_command\_line ) contains "\[s\]\&cd\&echo \[e\]" |fields agent\_hostname, agent\_version, actor\_effective\_username , action\_process\_image\_name, action\_process\_image\_command\_line,actor\_process\_image\_name, actor\_process\_image\_command\_line |---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | dataset = xdr\_data |filter event\_sub\_type = PROCESS\_START and lowercase(action\_process\_image\_name) = "cmd.exe" and lowercase(actor\_process\_image\_name) = "w3wp.exe" |filter lowercase(action\_process\_image\_command\_line ) contains "\[s\]\&cd\&echo \[e\]" |fields agent\_hostname, agent\_version, actor\_effective\_username , action\_process\_image\_name, action\_process\_image\_command\_line,actor\_process\_image\_name, actor\_process\_image\_command\_line | ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/word-image-64.png) Microsoft Internet Information Server (IIS) dropping ASPX files into Exchange and generic IIS loading locations is a good indication of a webshell drop: config case\_sensitive = false | dataset = xdr\_data | filter event\_type = FILE and event\_sub\_type in (FILE\_WRITE, FILE\_CREATE\_NEW) and action\_file\_extension = "aspx" and action\_file\_path ~= "(\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\|\\\\frontend\\\\httpproxy\\\\owa\\\\auth\\\\|\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\)" and action\_file\_path != "\*\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\timeoutlogoff.aspx" and actor\_process\_image\_name in ("UMWorkerProcess.exe", "w3wp.exe", "umservice.exe") |-------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 | config case\_sensitive = false | dataset = xdr\_data | filter event\_type = FILE and event\_sub\_type in (FILE\_WRITE, FILE\_CREATE\_NEW) and action\_file\_extension = "aspx" and action\_file\_path ~= "(\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\|\\\\frontend\\\\httpproxy\\\\owa\\\\auth\\\\|\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\)" and action\_file\_path != "\*\\\\frontend\\\\httpproxy\\\\ecp\\\\auth\\\\timeoutlogoff.aspx" and actor\_process\_image\_name in ("UMWorkerProcess.exe", "w3wp.exe", "umservice.exe") | Running discovery commands from IIS processes is a good indication of an attacker trying to get the lay of the land. Hunt for such activities using this query: dataset = xdr\_data |filter lowercase(causality\_actor\_process\_image\_name) = "w3wp.exe" and lowercase(actor\_process\_image\_name) in ("cmd.exe", "powershell.exe") and lowercase(action\_process\_image\_name) in ("net.exe", "quser.exe","certutil.exe", "arp.exe","hostname.exe", "whoami.exe", "netstat.exe", "ping.exe", "ipconfig.exe", "wmic.exe", "del.exe") |fields agent\_hostname, agent\_version, actor\_effective\_username , causality\_actor\_process\_image\_name, causality\_actor\_process\_command\_line , actor\_process\_image\_name, actor\_process\_command\_line, action\_process\_image\_name, action\_process\_image\_command\_line |-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 | dataset = xdr\_data |filter lowercase(causality\_actor\_process\_image\_name) = "w3wp.exe" and lowercase(actor\_process\_image\_name) in ("cmd.exe", "powershell.exe") and lowercase(action\_process\_image\_name) in ("net.exe", "quser.exe","certutil.exe", "arp.exe","hostname.exe", "whoami.exe", "netstat.exe", "ping.exe", "ipconfig.exe", "wmic.exe", "del.exe") |fields agent\_hostname, agent\_version, actor\_effective\_username , causality\_actor\_process\_image\_name, causality\_actor\_process\_command\_line , actor\_process\_image\_name, actor\_process\_command\_line, action\_process\_image\_name, action\_process\_image\_command\_line | The attackers use compression and memory dumps to stage exfiltration and credential access using C:\\programdata as the staging location. Hunt for servers doing this activity using this query: config case\_sensitive = false | dataset = xdr\_data |filter event\_type = FILE and event\_sub\_type in (FILE\_CREATE\_NEW, FILE\_WRITE) and agent\_os\_sub\_type contains "server" |filter action\_file\_path ~= "c:\\\\programdata\\\\\[a-zA-Z0-9\]+\\.(rar|zip|zipx|7z)" OR action\_file\_path ~= "(c:\\\\root\\\\\[a-zA-Z0-9\]+\\.dmp$|c:\\\\windows\\\\temp\\\\\[a-zA-Z0-9\]+\\.dmp$)" |---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | config case\_sensitive = false | dataset = xdr\_data |filter event\_type = FILE and event\_sub\_type in (FILE\_CREATE\_NEW, FILE\_WRITE) and agent\_os\_sub\_type contains "server" |filter action\_file\_path ~= "c:\\\\programdata\\\\\[a-zA-Z0-9\]+\\.(rar|zip|zipx|7z)" OR action\_file\_path ~= "(c:\\\\root\\\\\[a-zA-Z0-9\]+\\.dmp$|c:\\\\windows\\\\temp\\\\\[a-zA-Z0-9\]+\\.dmp$)" | The Exchange worker process does not usually create subprocesses and one of the exploit targets this process. This XQL query in Cortex XDR will help hunt for such cases: config case\_sensitive = false | dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and os\_actor\_process\_image\_name = "UMWorkerProcess.exe" | filter action\_process\_image\_name != "WerFault.exe" and action\_process\_image\_name != "wermgr.exe" |---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 | config case\_sensitive = false | dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and os\_actor\_process\_image\_name = "UMWorkerProcess.exe" | filter action\_process\_image\_name != "WerFault.exe" and action\_process\_image\_name != "wermgr.exe" | #### **Hunt and respond with Cortex XSOAR** Cortex XSOAR has released a playbook called "HAFNIUM - Exchange 0-day exploits". You can find it in the *Rapid Breach Response* content pack on our Cortex XSOAR Marketplace. The fully automated playbook will execute the following: * Collect indicators to be used in your threat hunting processes * Query firewall logs to detect malicious network activity * Search endpoint logs for malicious activity to detect compromised hosts; if Cortex XDR is enabled, the playbook will also search for alerts detailed above * Block indicators in various third-party tools ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/03/Screen-Shot-2021-03-04-at-9.10.36-PM.png) ## Cortex XDR alerts that detect this attack |---------------------------|------------------------------------------------| | **Source** | **Description** | | Cortex XDR Analytics BIOC | Uncommon net group execution | | Cortex XDR Analytics | Multiple Discovery Commands | | Cortex XDR BIOC | Exchange process writing aspx files | | Cortex XDR Agent | Behavioral Threat Detected | | Cortex XDR Agent | Suspicious Process Creation | | Cortex XDR Analytics BIOC | Uncommon remote service start via sc.exe | | Cortex XDR Analytics BIOC | Rare SSH Session | | Cortex XDR Analytics BIOC | Uncommon ARP cache listing via arp.exe | | Cortex XDR Analytics BIOC | Uncommon user management via net.exe | | Cortex XDR Analytics BIOC | WmiPrvSe.exe Rare Child Command Line | | Cortex XDR Analytics BIOC | Script Connecting to Rare External Host | | Cortex XDR BIOC | Remote process execution using WMI | | Cortex XDR BIOC | 64-bit PowerShell spawning a 32-bit PowerShell | | Cortex XDR BIOC | Suspicious PowerShell Command Line | | Cortex XDR BIOC | Dumping Registry hives with passwords | ## Observed Activities We have seen attackers create webshell files on these paths: |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServerProxy.aspx C:\\inetpub\\wwwroot\\aspnet\_client\\system\_web\\r1BMaJKT.aspx C:\\inetpub\\wwwroot\\aspnet\_client\\system\_web\\\[RANDOM\].aspx C:\\inetpub\\wwwroot\\aspnet\_client\\supp0rt.aspx C:\\inetpub\\wwwroot\\aspnet\_client\\discover.aspx | We have seen attackers execute the following commands: |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&net group "Exchange Organization administrators" administrator /del /domain\&echo \[S\]\&cd\&echo \[E\] wmic /node:$NODE$ /user:$USER$ /password:$PASSWORD$ process call create "powershell -exec bypass -file c:\\programdata\\payloadDns.ps1" "cmd.exe" /c powershell -exec bypass -file c:\\programdata\\bot.ps1 net group "Exchange Servers" /DOMAIN cmd /c start c:\\windows\\temp\\xx.bat net group "Exchange Organization Administrators" /domain dsquery server -limit 0 net group \[REDUCATED\] /domain "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&arp -a\&echo \[S\]\&cd\&echo \[E\] net use \\\\\[REDUCATED\] \[PASSWORD\] /user:\[USER\] powershell.exe -PSconsoleFile "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\exshell.psc1" -Command ".'C:\\windows\\help\\help\\1.ps1'" nltest /domain\_trusts "cmd" /c cd /d "C:\\\\inetpub\\\\wwwroot\\\\aspnet\_client\\\\system\_web"\&wmic process call create "reg save hklm\\sam c:\\programdata\\$FILE\_NAME$.log \&echo \[S\]\&cd\&echo \[E\] | ## Detailed Protection Timeline |---------------------|--------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Date | Product | Protection Description | | Prior to disclosure | Cortex XDR PRO | **Cortex XDR Analytics:** \* Multiple Discovery Commands **Cortex XDR Analytics BIOC:** \* Uncommon net group execution \* Uncommon remote service start via sc.exe \* Rare SSH Session \* Uncommon ARP cache listing via arp.exe \* Uncommon user management via net.exe \* WmiPrvSe.exe Rare Child Command Line \* Script Connecting to Rare External Host **Cortex XDR BIOC:** \* Remote process execution using WMI \* 64-bit PowerShell spawning a 32-bit PowerShell \* Suspicious PowerShell Command Line \* Dumping Registry hives with passwords | | Prior to disclosure | Cortex XDR Prevent | **Cortex XDR Agent** -- Behavioral Threat Detected\* | | March 2 | NGFW | Threat Prevention Content Release 8380 containing vulnerability signatures for the four vulnerabilities. Severity ID CVE-ID critical 90796 CVE-2021-26855 critical 90797 CVE-2021-26858 critical 90798 CVE-2021-27065 critical 90800 CVE-2021-26857 | | March 3 | Cortex XDR PRO | Content released as part of pack [2021.03.03.1](https://live.paloaltonetworks.com/t5/cortex-xdr-articles/content-release-notes/ta-p/257570) **Cortex XDR BIOC** -Exchange process writing aspx files | | March 4 | Cortex XDR Prevent | Cortex XDR Agent content pack [170](https://downloads.paloaltonetworks.com/traps/Version_170__Traps_And_CortexXDR_Content_Update_Release_Notes.pdf?__gda__=1615449934_cb3160e2af88d3cd743f0d668df1522f) **Cortex XDR Agent -** Suspicious process creation\*\* | | March 9 | NGFW | Threat Prevention Content Release 8383 containing additional vulnerability signatures for the "ProxyLogon" vulnerability Severity ID CVE-ID critical 90815 CVE-2021-26855 | | March 10 | Cortex XDR Prevent | Cortex XDR Agent content pack 171 **Cortex XDR Agent** - Behavioral Threat Prevention\*\*\* | | March 15 | XDR Agent 7.3.1 | New Cortex XDR agent version which allows for visibility into CVE-2021-28655 exploitation attempts (agent content pack 171-54296) | \* On post-exploitation activities such as Mimikatz usage prevention. \*\* Preventing the execution of attacks from the China Chopper webshells. \*\*\* Preventing writing of webshells by exploited IIS Servers. ## Conclusion Due to the alarming activity of threat actors exploiting these zero-day vulnerabilities against vulnerable Microsoft Exchange servers, we strongly advise immediately updating all Microsoft Exchange servers to the latest available patched versions released by Microsoft. We also advise updating to the latest product and content version, and hunting for threats using the supplied XQL queries and the existing protection mechanisms within the product. Read the Unit 42 Threat Assessment[here](https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/). *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Busted by XDR: Detecting Microsoft Exchange Post-Exploit Activity in February](https://www2.paloaltonetworks.com/blog/security-operations/busted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### How Quickly Are We Patching Microsoft Exchange Servers?](https://www2.paloaltonetworks.com/blog/2021/03/patching-microsoft-exchange-servers/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### Attackers Won't Stop With Exchange Server. You Need a New Playbook](https://www2.paloaltonetworks.com/blog/2021/03/exchange-server-new-playbook/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Intercepting the ToolShell Zero-Day Before the Headlines](https://www2.paloaltonetworks.com/blog/security-operations/intercepting-the-toolshell-zero-day-before-the-headlines/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### The Detection Nightmare: Years Pass Without a Move](https://www2.paloaltonetworks.com/blog/security-operations/the-detection-nightmare-years-pass-without-a-move/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### What the Alien Franchise Taught Me About Cybersecurity](https://www2.paloaltonetworks.com/blog/2026/01/alien-franchise-taught-cybersecurity/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language