* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Detecting VBA Process Hol...

# Detecting VBA Process Hollowing With Cortex XDR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-vba-process-hollowing-with-cortex-xdr%2F)  
[](https://twitter.com/share?text=Detecting+VBA+Process+Hollowing+With+Cortex+XDR&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-vba-process-hollowing-with-cortex-xdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-vba-process-hollowing-with-cortex-xdr%2F&title=Detecting+VBA+Process+Hollowing+With+Cortex+XDR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-vba-process-hollowing-with-cortex-xdr/&ts=markdown)  
\[\](mailto:?subject=Detecting VBA Process Hollowing With Cortex XDR)  
Link copied  
By [Stav Setty](https://www.paloaltonetworks.com/blog/author/stav-setty/?ts=markdown "Posts by Stav Setty") and [Aviad Meyer](https://www.paloaltonetworks.com/blog/author/aviad-meyer/?ts=markdown "Posts by Aviad Meyer")  
Sep 26, 2020  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[exploit](https://www.paloaltonetworks.com/blog/tag/exploit/?ts=markdown)  
[process hollowing](https://www.paloaltonetworks.com/blog/tag/process-hollowing/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)  
[VBA](https://www.paloaltonetworks.com/blog/tag/vba/?ts=markdown)

Overview

Palo Alto Networks' Unit 42 threat research team observed recent activity involving an advanced Visual Basic for Applications (VBA) technique, VBA-RunPE.

VBA-RunPE is an implementation of the RunPE technique in VBA. It enables running executables from the memory of Microsoft Word and Microsoft Excel. To evade detection, attackers are increasingly turning to VBA-RunPE and similar tools that achieve process hollowing.

The Palo Alto Networks Cortex XDR platform protects customers from a wide spectrum of nefarious activity, including VBA-RunPE. Over the past few weeks, the Cortex XDR Security Research Team has added several behavioral detectors for the technique. Furthermore, the release of our latest endpoint protection agent -- [Cortex XDR Agent 7.2](https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-2/cortex-xdr-agent-release-notes/cortex-xdr-agent-release-information/features-introduced-in-cortex-agent.html#:~:text=To%20protect%20Mac%20endpoints%20from,USB%2Dconnectivity%20on%20your%20endpoint.) -- can block the attack up-front.

Why VBA-RunPE?

Malware authors have used RunPE for years to achieve process hollowing, execute stealthily, and hide their activity. Process hollowing is a code injection technique in which attackers hide malicious code inside legitimate processes (often explorer.exe, svchost.exe, etc). This technique is especially common in remote access tools (RATs) as well.

One of the key benefits of RunPE/process hollowing is the ability to bypass application whitelisting. This is useful in constrained desktop environments (e.g. AppLocker, AppSense by Ivanti, etc).

Process hollowing on its own isn't so new, but a VBA implementation of RunPE is a game changer. With VBA-RunPE, all an attacker needs to bypass any restriction is access to Word or Excel and VBA macros. It also allows attackers to weaponize macros without resorting to PowerShell and other less stealthy methods. With Windows Defender leveraging Microsoft's Antimalware Scan Interface (AMSI), this has become increasingly important.

As we can see in Figure 1 below, VBA-RunPE enables an attacker to run any Portable Executable (PE) file, disguised as an Office executable. In this case, the title of the PowerShell process spawned is actually the path of winword.exe.

![Image of how VBA-RunPE Spawns a PowerShell terminal disguised as Microsoft Word](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-4.13.07-PM.png)

*Figure 1. VBA-RunPE Spawns PowerShell Disguised as Microsoft Word*

How It Works

This workflow illustrates the observed attack steps:

1. Financial\_report.docm is opened.
2. Macros are enabled, and the VBA code is executed.
3. A new instance of Microsoft Word is spawned and placed in a suspended state.
4. Enough memory is allocated within the process to copy the content of the actual PE to execute.
5. The address of the entry point is adjusted and the thread is resumed.

Once the thread is resumed, the malicious code starts running, now masquerading as a legitimate process.

![VBA attack steps: open a document, execute VBA macros, spawn a new instance of Word, allocate memory within the process to copy the PE, adjust the entry point and resume thread](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/vba-image-2.png)

*Figure 2. VBA-RunPE Attack Steps*

All of this process hollowing is possible through VBA because it allows for importing functions from the Windows API. The following are some of the API functions called:

* CreateProcess: used to create the new process in a suspended state
* VirtualAllocEx: allocates memory within the new process
* WriteProcessMemory: writes the content of a PE file to the allocated memory
* SetThreadContext: applies the changes set
* ResumeThread: resumes the main thread to allow for the execution of the new PE

One of the most common ways security vendors detect process hollowing is by monitoring API calls that unmap process memory, such as NtUnmapViewOfSection and ZwUnmapViewOfSection. But, in contrast to the majority of process hollowing implementations, VBA-RunPE doesn't unmap the process memory, and therefore it can bypass detection by many security products.

VBA-RunPE gives an attacker the ability to run any PE file, simply by setting the path of the file to execute and the command-line arguments. The following default VBA-RunPE code in Figure 3 runs a command-line similar to powershell.exe -exec Bypass.

![sample of VBA code](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-4.19.40-PM.png)

*Figure 3. Default VBA-RunPE code*

Below is a look into the Exploit method that gets the content of a PE file as a byte array and calls the RunPE procedure to execute it from the memory of Word / Excel. The rest of the code can be found on the VBA-RunPE [Github](https://github.com/itm4n/VBA-RunPE).

![VBA code to inject malicious process](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-2.02.21-PM.png)

Behavioral Activity Observed

Using Cortex XDR, we observed the attack's behavior---starting with the causality chain. The Causality Group Owner (CGO) responsible for causing the activities is our Word process that opened financial\_report.docm. Once macros were enabled, a new winword.exe process was spawned in a suspended state. Lastly, the injection of PowerShell into the memory of the newly created Word process spawned the Windows Console.

Essentially, the attacker got away with spawning PowerShell as a separate process. To the unsuspecting system administrator, this activity may not appear to be malicious.

![Screenshot of Cortex XDR detecting the malicious powershell code injection into the WINWORD.EXE process](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/vba-image-3.png)

*Figure 4. Cortex XDR Causality Chain*

Diving deeper with Cortex XDR, we checked the process command-line arguments. In Figure 5, we can see that Microsoft Word is spawned with the command line "Winword.exe -exec Bypass". This is an anomalous command line, since it's associated with PowerShell and not with Microsoft Word.

![Screenshot of Cortex XDR showing how Microsoft Word was spawned using an "-exec Bypass" command](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-4.23.08-PM.png)

*Figure 5. Process Execution Suspicious Command-Line*

Cortex XDR gathers information from process activity logs, file activity logs, network activity logs, image loads logs, registry logs, and more.

Figure 6 demonstrates a couple of interesting module loads from Microsoft Word. For example, *System.Management.Automation.dll* and *pwrship.dll* are loaded---this loading of PowerShell DLLs by a Microsoft Office process is clear unusual activity.

![Screenshot of Cortex XDR showing suspicious modules](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-4.24.25-PM.png)

*Figure 6. Module Loads by Microsoft Word*

Cortex XDR Alerts

Following our look into behavioral activity with Cortex XDR, we created the following Behavioral Indicators of Compromise (BIOCs) to detect VBA-RunPE.

Cortex XDR Agent 7.2 also features prevention modules from macro local analysis to block this attack.

|------------|------------------------------------------------------------|-----------------|
| **Source** | **Description**                                            | **Release**     |
| XDR BIOC   | Office process runs with suspicious command-line arguments | June 7, 2020    |
| XDR BIOC   | Microsoft Office process spawns conhost.exe                | June 7, 2020    |
| XDR BIOC   | Non-PowerShell process loads a PowerShell DLL              | July 19, 2020   |
| XDR BIOC   | LOLBIN created a PowerShell script file                    | August 23, 2020 |
| XDR Agent  | Suspicious macro detected                                  | August 31, 2020 |
| XDR BIOC   | Microsoft Office process reads a suspicious process        | October 2020    |

*Table 1. List of VBA-RunPE Alerts*

![Screenshot of Cortex XDR detecting several behavioral indicators of compromise associated with Office spawned by Powershell](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/09/Screen-Shot-2020-09-24-at-4.25.21-PM.png)

*Figure 7. Alerts in the Cortex XDR UI*

Conclusion

Process hollowing threats are complicated in nature and often go undetected. Malware authors continue to utilize these evasive process execution techniques to reduce the number of indicators on an endpoint.

Cortex XDR™ can overcome this leveraging behavioral activity to detect and block this attack at several stages of the attack chain.

MITRE ATT\&CK Tactics

The following tactics and techniques are relevant to the threat discussed. Further information can be found in the [MITRE ATT\&CK framework](https://attack.mitre.org/matrices/enterprise/).

|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|-----------------|
| **ID**                                                      | **Description**                                                                                                                     | **Tactic**      |
| [T1055.012](https://attack.mitre.org/techniques/T1055/012/) | **Process Hollowing**  \* Process is created in a suspended state and "hollowed out" with malicious code                       | Defense Evasion |
| [T1566.001](https://attack.mitre.org/techniques/T1566/001/) | **Phishing: Spearphishing Attachment**  \* Involves the sending of malicious Microsoft Office documents                        | Initial Access  |
| [T1106](https://attack.mitre.org/techniques/T1106/)         | **Execution through API**  \* Adversary tools may use the Windows Application Programming Interface (API) to execute binaries. | Execution       |

*Table 2. Relevant ATT\&CK techniques*

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Boosting Identity Security with Cortex XDR/XSIAM Honey Users](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### AI Powers Sabre's Enhanced Threat Detection \& Response](https://origin-researchcenter.paloaltonetworks.com/blog/2024/05/precision-ai-powers-sabres-enhanced-threat-detection-response/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Battling macOS Malware with Cortex AI](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/battling-macos-malware-with-cortex-ai/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language