* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Bye Whack-a-Mole: The New...

# Bye Whack-a-Mole: The New Cortex Generic Persistence Analytics Module

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbye-whack-a-mole-the-new-cortex-generic-persistence-analytics-module%2F)  
[](https://twitter.com/share?text=Bye+Whack-a-Mole%3A+The+New+Cortex+Generic+Persistence+Analytics+Module&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbye-whack-a-mole-the-new-cortex-generic-persistence-analytics-module%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fbye-whack-a-mole-the-new-cortex-generic-persistence-analytics-module%2F&title=Bye+Whack-a-Mole%3A+The+New+Cortex+Generic+Persistence+Analytics+Module&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/bye-whack-a-mole-the-new-cortex-generic-persistence-analytics-module/&ts=markdown)  
\[\](mailto:?subject=Bye Whack-a-Mole: The New Cortex Generic Persistence Analytics Module)  
Link copied  
By [Tom Fakterman](https://www.paloaltonetworks.com/blog/author/tom-fakterman/?ts=markdown "Posts by Tom Fakterman"), [Yoav Zemah](https://www.paloaltonetworks.com/blog/author/yoav-zemah/?ts=markdown "Posts by Yoav Zemah") and [Matan Haim Guez](https://www.paloaltonetworks.com/blog/author/matan-haim-guez/?ts=markdown "Posts by Matan Haim Guez")  
Oct 10, 2024  
14 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Generic Persistence Analytics](https://www.paloaltonetworks.com/blog/tag/generic-persistence-analytics/?ts=markdown)

Research by: Matan Haim Guez, Tom Fakterman, Yoav Zemah

## **Executive Summary**

One of the key phases of a cyberattack lifecycle is the persistence phase. In its essence, persistence deals with maintaining a foothold in a compromised system, usually by setting up an automatic execution of malicious code on system startup, user login, or upon specific system events. Nowadays, there are dozens of documented persistence techniques which are actively being used by threat actors in the wild.

Given its criticality, variation, and its tendency to occur in the earlier stages of an attack, the persistence phase poses great challenges for defenders who wish to detect and prevent an attack as early as possible. The daunting task of tracking different persistence mechanisms one by one can lead to many false negatives (FN). In addition, trying to keep track of each new method or detection bypass technique is often futile and can be likened to a game of "whack-a-mole".

To face this challenge, the Palo Alto Networks Cortex Research Team developed a unique suite of detection modules titled "**Generic Persistence Analytics**". This module leverages unique insights derived from our machine learning (ML) and analytics engine that can detect the execution of malicious files, during the persistence phase - regardless of the technique that was used to achieve it.

In this writeup we will dive into the technical details of this unique data-driven approach. We will also provide real-life use cases demonstrating the persistence detection by the **Generic Persistence Analytics** module.

## **Table of Contents**

[Executive Summary](#post-329936-_xtpqsdhaujdf)

[Table of Contents](#post-329936-_mr5ll4r4wuep)

[Windows Malware Persistence in a Nutshell](#post-329936-_x52hyb9fad1u)

[Different Persistence Techniques](#post-329936-_9afolt2fbpj)

[Current Persistence Detection Approach and Challenges](#post-329936-_k4g5gcf63n1y)

[The Generic Persistence Analytics Suite](#post-329936-_umy7n8fypot9)

[The Concept of Generalization](#post-329936-_z53k8p496uu7)

[Implementation](#post-329936-_a9vsdniqzr16)

[The Rational of Examining Parent Processes](#post-329936-_fonoh567te5v)

[Statistic-Based \& Machine Learning Detection Capabilities](#post-329936-_quy0191h418o)

[Cyber Features: Diving into Details](#post-329936-_npil5eqdmxfn)

[Persistence in the wild](#post-329936-_bgeqtwtqgewu)

[Glupteba](#post-329936-_wj44njnozvm)

[XWorm](#post-329936-_hx0ydz7ze4bz)

[Agent Tesla](#post-329936-_896nniljqaym)

[Conclusion](#post-329936-_4unmrazgdu6)

[Indicators of Compromise](#post-329936-_2ka21nq0n83x)

## Windows Malware Persistence in a Nutshell

In the [attack lifecycle](https://www.paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle), persistence is considered a key stage in maintaining a foothold in a compromised environment. Persistence is the repeated execution of a program under a predetermined condition, dependent on the operating system.

In Windows user mode, there are several known persistence mechanisms, such as [registry AutoRuns keys](https://attack.mitre.org/techniques/T1547/001/), [scheduled tasks](https://attack.mitre.org/techniques/T1053/005/), and [system services](https://attack.mitre.org/techniques/T1543/002/). In kernel mode, there are low-level components such as drivers, which get loaded and executed by the kernel in an early stage of the boot process and can be used as a persistence mechanism as well.

The variety of different persistence methods assists in concealing the root cause of a given malware's execution. Moreover, malware can escalate its privileges through the malicious use of a mechanism's features. For example, an attacker can create a new scheduled task on a compromised machine and set up the task to execute their malicious payload with administrator privileges.

## Different Persistence Techniques

Below are examples of common persistence mechanisms, representing only the tip of the iceberg in terms of persistence mechanisms used in the wild:

* [**Scheduled Tasks**](https://attack.mitre.org/techniques/T1053/005/)\*\*:\*\*This Windows system feature allows users to automate tasks by setting them to execute periodically at certain times or upon certain events. It can be configured to execute potentially malicious scripts, applications, or even administrative tasks without requiring user intervention.
* [**Registry autorun keys**](https://attack.mitre.org/techniques/T1547/001/) **and** [**startup folders**](https://attack.mitre.org/techniques/T1547/001/)**:** Registry AutoRun keys allow attackers to add entries to the Windows registry and run malicious code automatically at startup or user login. Similar to registry autorun entries, attackers may simply place a shortcut to malware in a [Windows startup folder](https://attack.mitre.org/techniques/T1547/001/) to ensure its execution upon user login.
* [**Bootkits**](https://attack.mitre.org/techniques/T1542/003/)**:** These are sophisticated types of malware that infect a computer's boot process, allowing it to run before the operating system starts. Bootkits can obtain low-level system control by compromising the boot procedure, making them exceedingly difficult to detect and uninstall. Because of that, bootkits are an effective weapon of choice for attackers seeking to achieve long-term and stealthy persistence on a target's machine. This is usually done by infecting the [**MBR**](https://attack.mitre.org/techniques/T1542/003/) (Master boot record) or the Unified Extensible Firmware Interface\*\*(\*\* [**UEFI**](https://attack.mitre.org/techniques/T1542/001/)**)**.
* [**Winlogon registry key**](https://medium.com/@s12deff/winlogon-windows-reverse-shell-persistence-60ab10a31c4): Winlogon is an essential Windows operating system component that manages user logins and other session-related actions. Attackers can modify the registry values [**Shell** , **Userinit** , and **Notify**](https://attack.mitre.org/techniques/T1547/004/) in Winlogon registry keys to point at a malicious executable or a script that runs instead of (or alongside) explorer.exe and userinit.exe to establish persistence in an early startup stage.
* [**WMI**](https://practicalsecurityanalytics.com/persistence-with-wmi-event-subscription-and-powershell-cradles/)**: (Windows Management Instrumentation)** is a framework that allows scripts and applications to manage devices, services, and processes in a Windows environment. [**WMI event subscriptions**](https://learn.microsoft.com/en-us/windows/win32/wmisdk/receiving-a-wmi-event) are a powerful mechanism that can be abused for persistence by allowing an attacker to automatically trigger malicious actions based on specific system events.  
  An attacker can create a **persistent WMI subscription** by defining an event filter that triggers certain system events (e.g., at system boot or user login) and linking it to a malicious script or executable.

## Current Persistence Detection Approach and Challenges

Upon conducting our research, we concluded that the current approach in the cybersecurity industry for detecting malicious persistence is to observe and detect the action of **setting up the various known persistence mechanisms**. For example, when detecting registry persistence, vendors will look for a process that sets a value in the registry in one of the known AutoRun keys.

There are multiple issues with this approach:

* Legitimate products and applications also use persistence as a feature, making it hard to discern between a legitimate persistence or malware-generated persistence - thus resulting in an extensive number of false positive (FP) alerts that do not necessarily indicate malicious activity.
* The aforementioned detection approach, coupled with the variety of built-in mechanisms in Windows, encourages security vendors to create more ad-hoc detections over time.
* If one specific detector fails, it will be far more difficult to determine the persistence mechanism for malware launched at startup or login and will necessitate a more challenging in-depth investigation of the artifacts from the affected machine.
* If the infection employs a new persistence technique that security vendors are unaware of, no alert will be delivered, making it far more difficult to identify the malware's initial persistence technique and completely mitigate the compromised machine.

The wide range of persistence techniques yet limited detection approaches have created a problem for all security products and vendors, diminishing the ability to detect different \& **new**persistence methods.

# The Generic Persistence Analytics Suite

The Cortex XDR research team chose to handle the problem of detecting **malicious persistence** using a novel approach that required us to step back from the common detection-by-technique method and embrace what we call "The Concept of Generalization", using our set of detectors now known as the **"Generic Persistence Analytics".**

The new detection suite detects startup persistence techniques which are frequently employed in malware in the wild, while focusing on the execution stage, where a malicious payload is executed by a persistence mechanism.

## The Concept of Generalization

In the context of detecting malicious persistence activity, generalization refers to a detection mechanism's capacity to effectively detect a wide range of malicious persistence techniques, even unknown techniques that have yet to be reported.

It guarantees that the detection mechanism is effective against a wide range of threats, not only those already detected and known.

In practice, this means that we utilized **Generic Persistence Analytics** to detect the majority of malicious startup persistence without adding additional technique-specific detections. A diagram that represents the difference in the generic and existing approaches of persistence detection on the market can be seen in Figure 1.
![Figure 1. The differences in approaches between Generic Persistence Analytics and existing detection in the market](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-1.png)
Figure 1. The differences in approaches between Generic Persistence Analytics and existing detection in the market

# Implementation

To solve the persistence detection problem in a generic way, we needed to focus on one thing that almost all persistence mechanisms have in common: They all eventually execute a process, and as was mentioned before, we focus on process execution in an early startup stage, while persistence is triggered on startup.

With this in mind, we began our solution implementation by collecting all process execution events at startup. However, in order to establish an efficient and precise detection, we needed to continue researching data that was collected from those process execution events.

## Statistic-Based and Machine Learning Detection Capabilities

In order to create statistics-based detection while collecting all process execution events at launch, we used Cortex [Analytics](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics). The Cortex Analytics Engine generates aggregations based on real-time events from Cortex agents. These aggregations are then utilized to construct baselines of common behaviors globally, for each organization, and for every agent. Then, the detector asks the necessary questions to decide with certainty whether an action is usual or unusual for every event. These questions direct us to the main objects we should aggregate and the relationships between them, such as:

* How popular is the process in the organization?
* How popular is the execution of a process by a specific persistence mechanism?
* How many days have we seen this process executed on startup in the organization?

As with every detection, there is a delicate balance of FPs and FNs. We may filter out FPs by asking the aforementioned statistics-based questions and more.

By providing **Generic Persistence Analytics** with such power, we can successfully address an existing problem that was a real pain for persistence detection.

## The Rational of Related Entities

When collecting different process execution events on startup, it is important to note that all of these collected events have the potential to be malicious persistence events. To determine which process execution was malicious, we needed to investigate all processes engaged in spawning child processes during the boot procedure.

During our research of processes that were executed at an early startup stage of the operating system's boot time, we discovered that we can determine the persistence mechanism for the majority of **known persistence techniques**. We can direct affected organizations to the corresponding persistence mechanism used for a specific malicious activity. Figure 2 below depicts the different alerts raised by the two different approaches, the current and generic.
![Figure 2. Differences in detection stages between current detection approaches and the Generic Persistence Analytics](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-2.png)
Figure 2. Differences in detection stages between current detection approaches and the Generic Persistence Analytics

## Cyber Features: Diving into Details

Cortex XDR Analytics is a data-driven detection engine that collects both behavioral and static information in order to raise suspicion on certain process images in addition to executed processes.

To create the **Generic Persistence Analytics**, we collected data features from Portable Executable (PE) files and compared them to a number of conditions.

We were able to identify aspects of a PE file that, along with other features, assisted in flagging processes as malicious. Some of those features include:

* Signature status: The validity of the signature, rarity in the organization, etc.
* PE metadata: has it been modified?
* Was the process's execution a part of a known persistence mechanism?

The above list is just a part of the capabilities of Cortex XDR Analytics. When we combined these features with statistics-based and machine-learning detection, we achieved incredible precision and efficiency. Figure 3 depicts these features we call "Cyber-features" that answer the above questions upon process execution.
![Figure 3. Checking cyber-features when a persistence execution is detected](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-3.jpeg)
Figure 3. Checking cyber-features when a persistence execution is detected

# Persistence in the wild

The following section provides real-life cases found in our telemetry, showcasing various malware that use different persistence techniques - and are all caught by the **Generic Persistence Analytics** module, agnostically to their persistence technique that was implemented.

## Glupteba

Glupteba is an advanced modular malware that is mostly used in financially driven cybercrime operations. In February 2024, [Unit 42 researchers analyzed](https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/) Glupteba's previously undocumented feature - a UEFI bootkit.

Glupteba features multiple different downloadable modules at its disposal.

These modules give the malware the following capabilities:

* Delivering additional payloads.
* Stealing credentials from various software.
* Stealing sensitive information, including credit card data.
* Enrolling the infected system in a crypto-mining botnet.
* Cryptojacking and delivering cryptominers.
* Performing digital advertising fraud.
* Stealing Google account information.
* Bypassing User Access Control (UAC) together with both rootkit and bootkit components.
* Exploiting routers to gain credentials and remote administrative access.

In order to achieve persistence, Glupteba uses an open-source and portable UEFI bootkit named [EfiGuard](https://github.com/Mattiwatti/EfiGuard). EfiGuard patches the Windows kernel by executing a UEFI driver (EfiGuardDxe.efi) to disable [PatchGuard](https://en.wikipedia.org/wiki/Kernel_Patch_Protection) and [driver signature enforcement](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-signing) (DSE). Additional analysis of Glubteba's UEFI bootkit process is detailed in the aforementioned [Unit42 analysis](https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/).

Figure 4 shows Glubteba's execution after a reboot of the infected machine
![Figure 4. Glubteba’s execution after a reboot of the infected machine as depicted in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-4.png)
Figure 4. Glubteba's execution after a reboot of the infected machine as depicted in Cortex XDR

Cortex XDR detects and prevents Glubteba's persistence mechanism. Figure 6 and Figure 7 show the Cortex XDR alert for Glupteba's detected persistence.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-5.png)

*Figure 6. Alert title for Glubteba's persistence in Cortex XDR.*
![Figure 7. Alert description for Glubteba’s persistence in Cortex XDR.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-6.png)
Figure 7. Alert description for Glubteba's persistence in Cortex XDR.

## XWorm

[XWorm](https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm) is a Windows remote access trojan (RAT) written in .NET, and sold online in popular hacking forums and different underground marketplaces under the user aliases "XCoder" or "EvilCoder". Figure 8 shows an online marketplace that sells XWorm.
![Figure 8. Online marketplace which sells XWorm RAT.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-7.png)
Figure 8. Online marketplace which sells XWorm RAT.

The XWorm RAT has many different typical remote administration capabilities and features, including:

* Keylogging and window monitoring.
* Process and script execution.
* Monitor webcams and microphones.
* File system interaction.
* Upload and download files.
* Interactive shell.
* Password stealing.
* Ransomware.
* Distributed denial-of-service (DDoS) attack.

When examining XWorm's persistence mechanism, we noticed that it is capable of using several common techniques depending on the malware's configuration:

* Creating a scheduled task.
* Registry autorun keys.
* Placing a copy of itself in the Windows startup folder.

The Cortex XDR **Generic Persistence Analytics** suite detects and prevents XWorm's aforementioned persistence mechanisms using its unique approach.

Figure 9 and figure 10 show the execution and detection of a scheduled task created by XWorm as seen in Cortex XDR.
![Figure 9. XWorm creating a scheduled task seen in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-8.png)
Figure 9. XWorm creating a scheduled task seen in Cortex XDR

![Figure 10. Alert for XWorm persistence via scheduled task in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-9.png)
Figure 10. Alert for XWorm persistence via scheduled task in Cortex XDR

## Agent Tesla

[Agent Tesla](https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla) is a Windows information stealer written in .NET that has been active since at least 2014. It is sold on the dark web and primarily distributed through phishing emails.

Agent Tesla's capabilities are extensive, and its builder allows attackers to use a variety of configurations, enabling them to craft variants with different capabilities upon each compilation. The primary capabilities of Agent Tesla include:

* **Stealing Sensitive Information:** Agent Tesla can extract sensitive information stored on an infected device. It is particularly effective at stealing credentials, including those stored in web browsers (such as passwords, cookies, and autofill data), FTP clients (like FileZilla), and VPN clients (such as OpenVPN).
* **Keylogging:** Another significant capability of Agent Tesla is its keylogging functionality. It can capture every keystroke of the user, including typed passwords, messages, and any other input.
* **Taking Screenshots:** Agent Tesla can periodically capture screenshots of the victim's desktop. This feature can capture sensitive information that might be displayed on the screen, such as private messages, documents, or images.

Agent Tesla can achieve persistence using various techniques, such as adding itself to the startup folder, thus ensuring it runs every time the infected system boots up, creating scheduled tasks, and modifying registry keys. Figures 11 and 12 illustrate the execution and detection of AgentTesla adding a copy of itself to the Windows startup folder, as observed in Cortex XDR.

![Figure 11. AgentTesla adds itself to the startup folder as seen in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-10.png)
Figure 11. AgentTesla adds itself to the startup folder as seen in Cortex XDR

![Figure 12. Alert for AgentTesla persistence via the startup folder in Cortex XDR](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-329936-11.png)
Figure 12. Alert for AgentTesla persistence via the startup folder in Cortex XDR

# Conclusion

In this writeup, we introduced the novel Cortex **Generic Persistence Analytics** detection suite. We demonstrated how the **Generic Persistence Analytics**suite, built on the Cortex Analytics engine technology, provides a substantial breakthrough in the detection of both known and previously undisclosed persistence techniques, using a novel statistical-based approach.

We reviewed common persistence mechanisms and demonstrated real life use-case scenarios and the detection of how the **Cortex Generic Persistence Analytics** suite detects and prevents these advanced threats, ranging from RATs to bootkits.

By harnessing the power of machine learning and statistical-based methodologies with substantial cyber security expertise, the Cortex Analytics research team was able to create a comprehensive approach that meets the complicated nature of the ever-evolving threat landscape, raising the bar of endpoint protection once again.

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://www2.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Boosting Identity Security with Cortex XDR/XSIAM Honey Users](https://www2.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### AI Powers Sabre's Enhanced Threat Detection \& Response](https://www2.paloaltonetworks.com/blog/2024/05/precision-ai-powers-sabres-enhanced-threat-detection-response/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### The Adventures of Malicious OneNote Attachments in Cortex XDR Land](https://www2.paloaltonetworks.com/blog/security-operations/the-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language