* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Hunt and Investigate Remo... # Hunt and Investigate Removable Drive Threats with Cortex XDR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunt-and-investigate-removable-drive-threats-with-cortex-xdr%2F) [](https://twitter.com/share?text=Hunt+and+Investigate+Removable+Drive+Threats+with+Cortex+XDR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunt-and-investigate-removable-drive-threats-with-cortex-xdr%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunt-and-investigate-removable-drive-threats-with-cortex-xdr%2F&title=Hunt+and+Investigate+Removable+Drive+Threats+with+Cortex+XDR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/&ts=markdown) \[\](mailto:?subject=Hunt and Investigate Removable Drive Threats with Cortex XDR) Link copied By [Eli Barr](https://www.paloaltonetworks.com/blog/author/eli-barr/?ts=markdown "Posts by Eli Barr") Apr 19, 2023 12 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Hunting](https://www.paloaltonetworks.com/blog/tag/hunting/?ts=markdown) [MTH](https://www.paloaltonetworks.com/blog/tag/mth/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) [USB](https://www.paloaltonetworks.com/blog/tag/usb/?ts=markdown) [use cases](https://www.paloaltonetworks.com/blog/tag/use-cases/?ts=markdown) [XQL](https://www.paloaltonetworks.com/blog/tag/xql/?ts=markdown) ### **Executive Summary** USB file storage devices have been a popular infection vector for cybercriminals for many years. Despite the development of new infection methods, USB drives continue to be a significant threat to modern-day organizations. One of the most notable examples of this is the [Stuxnet worm](https://www.paloaltonetworks.com/blog/2015/01/cybersecurity-canon-countdown-zero-day-stuxnet-launch-worlds-first-digital-weapon/), but current day examples include [Raspberry Robin](https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/), a widespread and dangerous worm that can lead to post-infection ransomware, and [PlugX](https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/), a sophisticated malware used by multiple APT groups. The Unit 42 Managed Threat Hunting team has identified execution attempts of Raspberry Robin, PlugX, and more across multiple victims over the past several months, indicating that this infection vector is one that still requires attention from defenders. Threat actors rely on unsuspecting users discovering infected devices and inserting them into systems, where wormable USB malware can persist and spread to other removable media or network drives. This can happen in various ways, such as a USB drive left in a parking lot or a seemingly harmless device given as a gift. Once plugged in, the malware can quietly infiltrate the network and begin to cause damage. In this article, we will take an in-depth look at threats from removable USB file storage devices. We'll share real-life examples of how USB malware can infiltrate an organization and wreak havoc, how to identify and investigate with Cortex XDR, and we'll examine the reasons why these types of attacks are still so effective. ### **Step 1: Identity mount/insertion events** // Description: Use Host Insights data to list all attached removable drives. dataset = host\_inventory | fields host\_name, os\_type, agent\_\*, disks, ip\_addresses | arrayexpand disks | alter drive\_type = disks -\> drive\_type | alter file\_systems = disks -\> file\_systems | alter free\_space = disks -\> free\_space | alter size = disks -\> size | alter device = disks -\> device | alter disk\_name = disks -\> name | filter drive\_type = "2" // 2: Removable Identifying all mounted removable media devices is a crucial first step in protecting against USB-borne malware. Identifying these devices can seem daunting, but there are a few simple ways to get started with Cortex XDR. One option is to utilize a Host Insights license and run a specific query to list all currently mounted removable disks. This can provide a comprehensive overview of all devices that have been connected to the system and can help identify any potential threats. // Description: Show drive mount activity dataset = xdr\_data | filter event\_type = ENUM.MOUNT | alter mount\_point = action\_mount\_device\_info -\> storage\_device\_mount\_point | alter storage\_device\_class\_name = action\_mount\_device\_info -\> storage\_device\_class\_name | alter vendor\_id = action\_mount\_device\_info -\> storage\_device\_vendor\_id | alter product\_id = action\_mount\_device\_info -\> storage\_device\_product\_id | alter storage\_device\_drive\_type = action\_mount\_device\_info -\> storage\_device\_drive\_type | fields _time, agent\_hostname, action\_mount\_device\_info, mount\_point, storage\_device_\*, vendor\_id, product\_id, agent\_os\_type, agent\_os\_sub\_type | filter storage\_device\_drive\_type = "2" // 2: Removable Another option to identify mounted removable media devices is to use the query provided above. This approach offers two additional benefits over the Host Insights license method. First, it allows you to access historical data to see telemetry from device mounts even after the user has removed the drive. This can be particularly useful in identifying patterns of suspicious activity and tracking the spread of malware within your network. Second, the query provides VID and PID (vendor ID and product ID) when available. This information can be used to look up the device information using the Linux USB ID repository (http://www.linux-usb.org/usb-ids.html). This can provide additional context and insights into the device, including the manufacturer and model. Additionally, you can optionally upload the USB ID CSV file as a lookup table into your Cortex XDR tenant to further enrich the data, making it easier to identify the device, manufacturer, and other details. // Description: Detect USB devices inserted into a Windows machine. Uses registry events to detect these devices. config case\_sensitive = false | dataset = xdr\_data | filter event\_type = ENUM.REGISTRY and (action\_registry\_key\_name contains "enum\\usb") and action\_registry\_value\_name contains "DeviceDesc" | fields agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, action\_registry\* The last method provided above is not specific to USB file storage devices, but it can be a useful part of any investigation into potential USB-borne malware. This query uses registry events to capture USB device insertions for any USB device. When a USB device is inserted into a system, a registry key is written to the following path: HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Enum\\USB\\ This query can be useful in identifying potential threats because it typically captures a brief description of the device, which is written to the registry key. This can provide valuable information, such as the device's manufacturer and model, which can be used to identify any potential vulnerabilities or known malware associated with the device. It's worth noting that this method is not limited to USB file storage devices, it can be used to monitor all USB devices. This can be especially useful in identifying malicious USB devices that are disguised as legitimate ones. By capturing all USB device insertions and providing a brief description of the device, organizations can gain a better understanding of what USB devices are connected to their systems and take appropriate actions to protect against potential threats. ### **Step 2: Identify anomalous activity** Let's look at a couple of detection opportunities for malicious activity: * Lnk file read from removable drive * Process launch from removable drive * DLL load from removable drive 1. Process launch from removable drive: In this case, we can observe the threat actor attempting to execute processes directly off of the removable drive, without first copying them to the host system. This behavior is uncommon in most environments and especially stands out if the executable is unsigned or has a mismatched file extension. // Description: Detect processes executed directly from removable drives dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and action\_process\_device\_info != Null // Device Info parsing | alter Drive\_Type = json\_extract(to\_json\_string(action\_process\_device\_info),"$.storage\_device\_drive\_type"), Drive\_Letter = json\_extract\_scalar(to\_json\_string(action\_process\_device\_info),"$.storage\_device\_mount\_point"), Device\_Serial\_Number = json\_extract\_scalar(to\_json\_string(action\_process\_device\_info),"$.storage\_device\_serial\_number") // Getting details about the device a file was created on | filter drive\_type = "2" // Removable = 2 | fields agent\_hostname, actor\_effective\_username, action\_process\_image\_path, action\_process\_image\_command\_line, action\_process\_file\_info, action\_process\_signature\_status, action\_process\_signature\_vendor, actor\_process\_image\_path, actor\_process\_signature\_vendor, actor\_process\_command\_line, action\_file\_path, action\_process\_device\_info, Drive\_Type, Drive\_Letter, Device\_Serial\_Number, event\_type, event\_sub\_type ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-183190-1.png) 2. DLL Load from removable drive: Similar to the above case, DLL loads can occur directly from the removable drive, instead of being copied to the host system first. These cases are quite suspicious, especially if they are being loaded by other legitimate binaries known for abuse through proxy execution such as rundll32. dataset = xdr\_data | filter event\_type = ENUM.LOAD\_IMAGE and action\_module\_device\_info != Null // Device Info parsing | alter Drive\_Type = json\_extract(to\_json\_string(action\_module\_device\_info),"$.storage\_device\_drive\_type"), Drive\_Letter = json\_extract\_scalar(to\_json\_string(action\_module\_device\_info),"$.storage\_device\_mount\_point"), Device\_Serial\_Number = json\_extract\_scalar(to\_json\_string(action\_module\_device\_info),"$.storage\_device\_serial\_number") // Getting details about the device a file was created on | filter drive\_type = "2" // Removable = 2 | fields agent\_hostname, actor\_effective\_username, action\_module\_path, action\_module\_signature\_status, action\_module\_signature\_vendor, actor\_process\_image\_path, actor\_process\_signature\_vendor, actor\_process\_command\_line, action\_file\_path, action\_module\_device\_info, Drive\_Type, Drive\_Letter, Device\_Serial\_Number, event\_type, event\_sub\_type ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-183190-2.png) 3. LNK read from removable drive LNK files are typically abused by threat actors as a mechanism to start the execution chain on the victim system. When the victim clicks on the LNK file, it starts a script or binary that then carries out the rest of the attack. Therefore, one indication of removable media abuse is to look for LNK file read events where the LNK file is located on a removable drive. Without this simple step, threat actors would have to resort to a more sophisticated method of execution such as USB autorun/autoplay (typically disabled) or driver/firmware abuse. // Description: Detect LNK file read from removable drive dataset = xdr\_data | filter event\_type = ENUM.FILE and event\_sub\_type = ENUM.FILE\_OPEN and lowercase(action\_file\_extension) = "lnk" // Device Info parsing | alter Drive\_Type = json\_extract(to\_json\_string(action\_file\_device\_info),"$.storage\_device\_drive\_type"), Drive\_Letter = json\_extract\_scalar(to\_json\_string(action\_file\_device\_info),"$.storage\_device\_mount\_point"), Device\_Serial\_Number = json\_extract\_scalar(to\_json\_string(action\_file\_device\_info),"$.storage\_device\_serial\_number") // Getting details about the device a file was created on | filter Drive\_Type = "3" or Drive\_Type = "2" // CDROM = 3, Removable = 2 | fields Drive\_Type, action\_file\_path, action\_file\_name, action\_file\_extension ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-183190-3.png) ### **Case Study: NeksMiner Crypto Worm** The Unit 42 Managed Threat Hunting team recently identified a suspicious DLL that was suspected to be a sample of the NeksMiner crypto worm. Crypto worms can spread through USB storage devices (among other methods) and continue proliferating by enumerating network storage devices and attached USB drives, copying itself to each one. The identified sample was introduced into the customer environment through a removable USB device. It can sometimes be hard to tell when activity originated from a removable USB device, as shown in Figure 1. Since the legitimate "rundll32.exe" binary on the host machine's disk is used to proxy execution (MITRE ATT\&CK subtechnique T1218.011), there's no obvious indication of any removable drive activity. However, we also get our first clue in Figure 1 by noting the "Module Path" for the suspicious DLL is not on the C:\\ drive. This indicates that we may need to look for drive mount activity. ![Figure 1: Attempted execution.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-183190-4.png) Figure 1: Attempted execution. Using the above queries to detect USB storage devices, we can see a removable drive was indeed mounted shortly before the suspicious event. Upon further investigation, we can see a malicious LNK file was present on the drive, and this malware relied on the user clicking the LNK file to start the execution chain (see Figure 2). When the user clicks on the LNK file, this creates a "File Read" event for the LNK file performed by File Explorer (explorer.exe). Shortly afterward, File Explorer will spawn a child process according to the contents of the LNK file. ![Figure 2: LNK execution mechanism. Note the LNK file read shortly before malicious execution starts.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/04/word-image-183190-5.png) Figure 2: LNK execution mechanism. Note the LNK file read shortly before malicious execution starts. ### **Why USB malware continues to be effective** Most USB malware relies heavily on social engineering to trick users into opening their payloads. Modern USB malware typically uses a .LNK to execute, triggering a script or executable stored elsewhere on the removable drive. The trick here is that malware authors can typically hide all malicious binaries and scripts out of view of the user. This can be accomplished through simple hidden folders, although more sophisticated malware may use even stealthier methods. All that appears in the drive is the .LNK itself, which can be visually modified to make it more likely for the user to click on it. Besides the above, many organizations still do not enforce strict USB storage device controls throughout their environments. A simple control would be a technical measure to prevent users from using or mounting USB storage devices on their hosts, subject to any necessary exclusions. Without these controls, mistakes could allow malware to infiltrate through infected USB devices, or even be unintentionally transferred from unsecured personal devices. ### **Summary** USB spreading malware is a technique attackers use to gain initial access into organizations. This type of malware can infect a computer when a USB device, such as a flash drive, is plugged into it. The malware can then spread to other computers and other USB devices on the network. The above queries can be used as part of a threat hunting engagement to check if these techniques are being used in the environment, or as part of an investigation into specific activity to see if USB devices may have been used as the initial infection vector. ### **About Unit 42 Managed Services** Unit 42 Managed Threat Hunting is a powerful service that empowers organizations to stay ahead of the ever-evolving threat landscape. Led by the renowned Unit 42 threat intelligence team, this service is designed to identify hidden attacks that would otherwise go undetected. Our team of expert threat hunters uses a combination of human expertise, big data analytics and comprehensive threat intelligence to surface malicious tactics, techniques, and procedures hiding in plain sight. This cutting-edge service is fueled by data collected and retained in the Cortex Data Lake, ensuring that organizations have access to the most comprehensive and accurate information available. With Unit 42 Managed Threat Hunting, organizations can take proactive steps to protect their assets and stay one step ahead of cybercriminals. *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Threat Hunting with Mark of The Web Using Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/threat-hunting-with-mark-of-the-web-using-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Linux Threat Hunting with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/linux-threat-hunting-with-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### The Hunter Diaries Part 2 - An Inside Job](https://www2.paloaltonetworks.com/blog/security-operations/the-hunter-diaries-part-2-an-inside-job/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://www2.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://www2.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language