* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Detecting the Kerberos no... # Detecting the Kerberos noPac Vulnerabilities with Cortex XDR™ [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr%2F) [](https://twitter.com/share?text=Detecting+the+Kerberos+noPac+Vulnerabilities+with+Cortex+XDR%26%23x2122%3B&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr%2F&title=Detecting+the+Kerberos+noPac+Vulnerabilities+with+Cortex+XDR%26%23x2122%3B&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr/&ts=markdown) \[\](mailto:?subject=Detecting the Kerberos noPac Vulnerabilities with Cortex XDR™) Link copied By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Aviad Meyer](https://www.paloaltonetworks.com/blog/author/aviad-meyer/?ts=markdown "Posts by Aviad Meyer") Jan 10, 2022 7 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [exploit](https://www.paloaltonetworks.com/blog/tag/exploit/?ts=markdown) [Kerberos](https://www.paloaltonetworks.com/blog/tag/kerberos/?ts=markdown) [noPac](https://www.paloaltonetworks.com/blog/tag/nopac/?ts=markdown) [sAMAccountName spoofing](https://www.paloaltonetworks.com/blog/tag/samaccountname-spoofing/?ts=markdown) [Vulnerability](https://www.paloaltonetworks.com/blog/tag/vulnerability/?ts=markdown) ### Executive Summary The Kerberos noPac vulnerabilities ([CVE 2021-42278](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) and [CVE-2021-42287](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041)) enable attackers to gain full domain admin privileges in Active Directory environments. Microsoft has promptly issued a patch for these vulnerabilities with the initial patch released on November 9th, 2021. That being said, patching servers in organizations is often a slow process and many AD domains are left vulnerable. [Cortex XDR™](https://www.paloaltonetworks.com/cortex/cortex-xdr) fully detects these vulnerabilities as part of its Identity Analytics module. In addition, the Cortex XDR agent blocks the attack. ### Background Kerberos is a network authentication protocol that is primarily used in Active Directory (AD) environments. It provides strong authentication by issuing tickets to allow access to services. The tickets are distributed by the Key Distribution Center (KDC). In AD environments, the KDC is installed on the Domain Controller (DC). A ticket-granting-ticket (TGT) is a ticket assigned to a user that is used to authenticate to the KDC and request a service ticket from the ticket-granting-service (TGS). Service tickets are granted for authentication against services. ![Figure 1. Kerberos authentication process](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-1.jpeg) *Figure 1. Kerberos authentication process,* [*Image source*](https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4768.html) CVE-2021-42278 and CVE-2021-42287 are vulnerabilities that allow an attacker with low-privileged domain user access to obtain a Kerberos Service Ticket for a Domain Controller computer account. This effectively enables an ordinary domain user to easily elevate their privileges to Domain Admin. A key part of the noPac vulnerability revolves around the sAMAccountName attribute. The sAMAccountName is a unique identifier for an AD user, group, or computer. To differentiate between computer and user objects, the sAMAccountName of a machine account ends with a trailing dollar sign, "$". **CVE 2021-42278** CVE-2021-42278 is a security bypass vulnerability that allows an attacker to impersonate a domain controller by leveraging sAMAccountName spoofing. In particular, no validation exists for the sAMAccountName ending in a $ for machine accounts, which all machine accounts should end with. **CVE-2021-42287** CVE-2021-42287 affects the [Kerberos Privilege Attribute Certificate](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) (PAC) and lets an attacker impersonate a domain controller. This occurs when requesting a service ticket. If the presented account in the TGT is not found by the KDC, the KDC will perform another lookup with a trailing $. Consequently, the KDC will issue a service ticket with a higher privilege level than the compromised account. Adversaries can leverage these two vulnerabilities together to escalate to domain admin privileges from a standard domain user. **How It Works** 1. Machine account creation 2. Service Principal Names (SPNs) are cleared 3. sAMAccountName is renamed to the DC name without a $ 4. Ticket-granting-ticket (TGT) is requested 5. sAMAccountName is renamed with a different name 6. Service ticket requested with S4U2self extension The first step of the attack is to create a new machine account. By default, the user has the [SeMachineAccountPrivilege](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain) and [MS-DS-Machine-Account-Quota](https://docs.microsoft.com/en-us/windows/win32/adschema/a-ms-ds-machineaccountquota) (MAQ) permissions set to create the account. By default, the SeMachineAccountPrivilege is granted to Authenticated Users. The MAQ is set to 10, which permits each authenticated user to add ten computer objects to the AD domain. Using [Powermad,](https://github.com/Kevin-Robertson/Powermad) the machine account TestSPN is successfully created below. *![Figure 2. Creating a new computer account in Active Directory (AD)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-16.png)* *Figure 2. Creating a new computer account in Active Directory (AD)* Before renaming the sAMAccountName, the attribute ServicePrincipalName needs to be cleared. This is because the SPNs are linked to the name of the account and the rename operation will result in an error. As the creator of the machine account object, the attacker has the privileges to modify these attributes. The SPNs are successfully cleared with [PowerView](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)'s Set-Domain-Object. ![Figure 3. Clearing the SPNs with PowerView](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-17.png) *Figure 3. Clearing the SPNs with PowerView* The attacker then renames the sAMAccountName attribute to the name of the domain controller without the trailing $. In this example, the targeted domain controller is DC1ENV30ADC01, which has the sAMAccountName DC1ENV30ADC01$. The attacker changes the new machine account's sAMAccountName to DC1ENV30ADC01. No validation exists for this behavior and the name change is successful. This is the **CVE-2021-42278** vulnerability. ![Figure 4. Renaming the machine account to spoof a domain controller](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-18.png) *Figure 4. Renaming the machine account to spoof a domain controller* Using [Rubeus](https://github.com/GhostPack/Rubeus), the attacker can now request a Kerberos TGT for the spoofed account DC1ENV30ADC01. ![Figure 5. TGT request with the spoofed sAMAccountName](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-19.png) *Figure 5. TGT request with the spoofed sAMAccountName* Once the TGT is obtained, the attacker will reset the sAMAccountName back to the original TestSPN$. ![Figure 6. Resetting the sAMAccountName via Powermad](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-20.png) *Figure 6. Resetting the sAMAccountName via Powermad* This is where **CVE-2021-42287** takes into effect and the KDC bamboozling occurs. With the spoofed TGT previously granted, the attacker will request a service ticket for a service using the [S4U2self](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/02636893-7a1f-4357-af9a-b672e3e3de13) extension. Now that the initial account behind the TGT with sAMAccountName DC1ENV30ADC01 no longer exists, the KDC will perform another lookup with a trailing $ at the end. It'll find the domain controller account and encrypt the ticket with its key. The attacker has now obtained a service ticket for the domain controller account DC1ENV30ADC01$ as an ordinary user. It's now possible to perform a DCSync using this ticket and gain access to the domain controller. ![Figure 7. TGS Request with Rubeus](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-21.png) *Figure 7. TGS Request with Rubeus* Numerous proof-of-concept (PoC) exploits accomplishing this have been publically released, which automate the full attack. Some of these PoCs also feature a scan function that checks if a DC is vulnerable to the attack by requesting a TGT without a PAC. If vulnerable, the DC will return a PAC-less TGT with a small ticket size. A patched DC will return a larger ticket with a PAC. *![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/image-2021-12-13-21-57-05-607.png)* *Figure 8. noPac PoC - scanning and exploit* ![Figure 9. Sam-the-admin PoC](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-22.png) *Figure 9. Sam-the-admin PoC* ### Behavioral Activities Observed Exploiting the noPac vulnerability generates the following Security Auditing Windows event logs. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/Table-1.png) After creating the computer account, Event 4741 will fire detailing the user who created the account and info on the new account created. Clearing the SPNs will generate a 4742 event. Service principal names will show as "\" when the SPNs are cleared. ![Figure 10. Event viewer - Machine account creation (4741), SPNs cleared (4742)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-23.png) *Figure 10. Event viewer - Machine account creation (4741), SPNs cleared (4742)* Renaming the machine account will generate events 4742 and 4781. Event ID 4781 details the old and new account names. The old account name includes a $ and the new account name does not. **![Figure 11. Event viewer - 4742 and 4781 from renaming the machine account](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-24.png)** *Figure 11. Event viewer - 4742 and 4781 from renaming the machine account* The request for the Kerberos TGT ticket fires Event 4768 with the spoofed sAMAccountName (machine account without the trailing $). The domain controller also logs Event 4769 when the service ticket is requested. The service name contains the trailing dollar and the account name does not. **![Figure 12. Events 4768 and 4769 from TGT and ST requests](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-25.png)** *Figure 12. Events 4768 and 4769 from TGT and ST requests* ### Cortex XDR Alerts Cortex XDR alerts at each stage of the attack chain. The Identity Analytics Module alerts on the behavioral activities and the Cortex XDR agent blocks the tools that are used. ![Figure 13. Cortex XDR Alert Incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-26.png) *Figure 13. Cortex XDR Alert Incident* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/Table-2.png) **Note about Identity Analytics:** The Identity Analytics Module (IAM) can be enabled by setting up the [Cloud Identity Engine](https://docs.paloaltonetworks.com/content/techdocs/en_US/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/set-up-cloud-identity-engine.html#dir-sync-setup)and configuring [Cortex XDR Analytics](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-cortex-xdr-pro/configure-xdr.html#configure-xdr). ### Microsoft Windows Patches and Hardening Microsoft's patch adds [Security Accounts Manager Hardening changes](https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e) along with [Key Distribution Center (KDC) authentication updates](https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041). These changes prevent sAMAccountName spoofing by adding validation for a computer account's sAMAccountName ending in a single dollar sign. The original requester will also be added to the PAC of the TGT, helping prevent domain controller impersonation. After patching the DC, the attack is no longer possible and generates System event log messages. Since the newly created TGT contains additional information in the PAC about the original requestor, requesting a TGS fails validation, returns the error KDC\_ERR\_TGT\_REVOKED and fires Event 38. ![Figure 14. Requestor mismatch after patching DC and attempting to exploit](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-27.png) *Figure 14. Requestor mismatch after patching DC and attempting to exploit* Microsoft added the following Event IDs with November 9th's update to log these errors. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/Table-3.png) These events can be monitored with the [Cortex XDR Windows Event Collector](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/activate-the-windows-event-collector.html) (WEC). WEC enables collection from Windows Servers and requires a [broker VM](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/manage-your-broker-vm/edit-your-broker-vm-configuration.html#id44350af4-4a8a-4dac-91d4-0ef42064aded). ![Figure 15. Windows event collection configuration](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-28.png) *Figure 15. Windows event collection configuration* ### Conclusion The noPac vulnerabilities carve out a straightforward path from Domain User to Domain Admin. We suggest patching DCs immediately and running the latest agent and content version. Cortex XDR also detects and blocks this attack leveraging behavioral analytics at every stage of the attack chain. Want to learn more about Cortex XDR? Visit the [Cortex XDR webpage](https://www.paloaltonetworks.com/cortex/cortex-xdr) or read the [Essential Guide to XDR](https://start.paloaltonetworks.com/essential-guide-to-xdr.html). *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Detecting and Preventing the Path to a Golden Ticket With Cortex XDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Shining a Light on Log4j Exploit Payloads](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/shining-a-light-on-log4j-exploit-payloads/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### How Cortex XDR Blocks Log4Shell Exploits with Java Deserialization Exploit Protection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Disrupting Legacy Vulnerability Management](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/disrupting-legacy-vulnerability-management/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language