* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Stopping Cryptojacking At...

# Stopping Cryptojacking Attacks With and Without an Agent

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cryptojacking-attacks-with-and-without-an-agent%2F)  
[](https://twitter.com/share?text=Stopping+Cryptojacking+Attacks+With+and+Without+an+Agent&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cryptojacking-attacks-with-and-without-an-agent%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cryptojacking-attacks-with-and-without-an-agent%2F&title=Stopping+Cryptojacking+Attacks+With+and+Without+an+Agent&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/stopping-cryptojacking-attacks-with-and-without-an-agent/&ts=markdown)  
\[\](mailto:?subject=Stopping Cryptojacking Attacks With and Without an Agent)  
Link copied  
By [Guy Arazi](https://www.paloaltonetworks.com/blog/author/guy-arazi/?ts=markdown "Posts by Guy Arazi")  
Mar 30, 2022  
11 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Cryptocurrency mining](https://www.paloaltonetworks.com/blog/tag/cryptocurrency-mining/?ts=markdown)  
[cryptojacking](https://www.paloaltonetworks.com/blog/tag/cryptojacking/?ts=markdown)  
[EDR](https://www.paloaltonetworks.com/blog/tag/edr/?ts=markdown)  
[Extended Detection](https://www.paloaltonetworks.com/blog/tag/extended-detection/?ts=markdown)

Cryptocurrency is a highly popular method of exchanging digital currency since it's encrypted and decentralized. Unlike other currencies, such as US dollars or Euros, there is no central authority that maintains and manages its value.

Cryptocurrency is accepted almost anywhere in the world, allowing cryptocurrency holders to buy day-to-day goods and services with it,from groceries to cars, yet leaving almost zero tracking on the paying users. As the value of cryptocurrency has increased, cybercriminals have turned to cryptojacking, or the unauthorized use of compute resources to mine cryptocurrency, to make a quick profit.

## **Cryptomining in a Nutshell**

Cryptocurrency relies on a shared network, known as a blockchain, which is built through the computational processing of individual computer nodes. With the decentralized capabilities of the blockchain, users can create transactions in a secure manner.

The flow of a transaction starts when a new transaction enters the blockchain, with computer nodes calculating its validity by solving equations. Once the transaction is valid, they are clustered into blocks and chained together to a single chunk that tells the whole history of all the transactions, completing the transaction.

After figuring out how everything works, it's simple to understand that the stronger compute power users have, the quicker they solve equations, and more fees will be rewarded.

Adversaries used to create huge botnets to offer DDoS attacks as a service. These botnets consisted of zombie computers that waited for instructions from their command and control (C2) servers, but now adversaries are increasingly using botnets for cryptojacking, gaining a bigger foothold in the cryptocurrency realm.

## **Cryptojacking Attacks Evolve Quickly**

Initially, adversaries used custom and commodity malware to simply run crypto mining payloads on the infected machine, leveraging their local resources, CPU/GPU, to mine for various coins, including Bitcoin and Ethereum. The payloads implemented a watchdog-like service to make sure that it will always mine while running the machine, even when users attempt to kill the process or reboot the machine. There are native operating system features that allow users to keep their procedures up and running. One of the most popular features in Linux is the known Crontab, which is constantly used by adversaries to stay persistent on compromised machines.

![Caption: Crontab usage on Cryptomining campaign](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-48.png)

*Crontab usage on Cryptomining campaign*

Today, attackers are targeting cloud services by any means to mine more and more cryptocurrency, as cloud services can allow them to run their calculations on a larger scale than just a single local machine, whether they're taking over a user's managed cloud environment or even abusing SaaS applications to execute their calculations.

Cloud resources can be very expensive. Therefore, from the second the attackers start to mine there is a direct loss in money. Imagine thousands of compute instances running mining applications within a click of a button- it is as destructive as it sounds, so the sooner that victims can remediate these attacks, the less money is lost.

In the past, we've encountered a few attack scenarios that emphasize the severity of such attacks in the cloud:

1. 86% of the compromised Google Cloud credentials were used to launch cryptocurrency mining attacks on the breached environment according [to Google](https://services.google.com/fh/files/misc/gcat_threathorizons_brief_nov2021.pdf) in November 2021.
2. More than 75% of all attacks on misconfigured Docker honeypots were cryptojacking attacks, and [Kinsing](https://unit42.paloaltonetworks.com/cve-2020-25213/) was the most common malware with a total of 360 attacks based on [May 2021 research](https://unit42.paloaltonetworks.com/docker-honeypot/).
3. Cryptojacking is still the most commonly seen attack on unsecured Kubernetes clusters according to[Palo Alto Networks Unit 42](https://unit42.paloaltonetworks.com/unsecured-kubernetes-instances/).
4. Attackers' targeting vulnerable [Docker and Kubernetes](https://www.bleepingcomputer.com/news/security/coinminer-campaigns-move-to-the-cloud-via-docker-kubernetes/) applications to mine for cryptocurrency often look for software vulnerabilities or misconfigured services to take over the control in the cloud environment.

## **Compromised Cloud Credentials Leads to Huge Financial Losses**

Recently, the Cortex XDR research team has investigated a cloud breach leading to resource hijacking in order to run cryptomining operations on their resources.

The adversaries had gained access to the company's cloud resources using company credentials that had been leaked from a version control platform; version control platforms are popular today because they allow software development teams to collaborate and update, backup and rollback code easily. However, such services can also be an entrypoint for attack because, in a small number of instances, various configuration files have been exposed publicly without the client's awareness.

Once the attackers had gathered the credentials, it only took them only a few hours to create **nearly 4,000 compute resources** in a single project, powering unauthorized mining capabilities on a large scale, while creating a headache and a huge cloud computing bill for the victim's organization .

![Caption: Attack flow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-49.png)

*Attack flow*

How do companies get breached? Well, there are many fairly easy targets that adversaries constantly abuse, such as API keys accidently exposed by human error. These credentials can be found on local filesystems, listed in code repositories configuration, and more. They can also be leaked via software vulnerabilities in popular resources or services, phishing attempts, and other attack vectors.

Adversaries always pick the easiest target, saving time and effort that allow them to expand their ability to breach more victims. Adversaries don't need advanced skills to find exposed API keys; there are services that crawl common cloud services and extract publicly available data.

There are various sources out there that might expose such sensitive data, for instance, on GitHub, where developers might upload their configuration file or other related variables accidentally or deliberately.

Once data is exposed in a public repository, adversaries might use known open-source tools to extract this sensitive data, such as [TruffleHog](https://github.com/trufflesecurity/truffleHog) which is highly common. While software development and version control vendors like GitHub scan for sensitive data once the data is uploaded, developers may not immediately remove the sensitive data. So, adversaries, as well as penetration testers, can still use these tools to find leaked data..

To demonstrate the above, we can show how a common service exposes sensitive information when looking for key entities, such as credentials, passwords, or APIs. Results indicated on numerous exposed credentials could potentially enable us to compromise the victim's cloud environment or other services that might be on premises.

![Caption: Attack flow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-50.png)

*Crawling cloud credentials*

Results of exposed cloud credentials that were crawled from publicly exposed highly prevalent CSP storage buckets.

Sampling one of the results indicated that there are indeed sensitive known CSP credentials within the file:

![Caption: Exposed client's cloud credentials](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-51.png)

*Exposed client's cloud credentials*

In such scenarios, the sooner you respond, the less you lose, but such behavior is not easy to detect or mitigate. Cloud environments are built for high scalability and agile functionality, allowing organizations to implement their complex procedures in so many ways that also work in favor of the attackers.

Organizations strive to keep their services running all the time, so any downtime can damage their business. When dealing with such scenarios, we want to focus on the compromised assets, such as identities and resources, minimizing any chance of damaging the operation. Before we do that we need to understand what common methods adversaries use on compromised environments to mine for cryptocurrency.

There are a few known techniques in the cloud that adversaries use to create a powerful operation to mine for cryptocurrency. In most cases they'll use compute instances with their own payloads, which can be seen in a few formations:

1. Deploying inexpensive compute resources in large volume within a short time frame, or multiple medium volume in multiple regions to avoid possible detections. The rush to create massive volumes can allow the attacker to leverage more resources in a short time, making more profit until the SOC operations team is notified and can handle the case. Also, in most cloud providers you can define a budget deviation, so when the account reaches a specified cloud computing cost in a day or hour, the customer will get a notification that there is a possibility of a crypto mining attack in the environment. However there are cases of adversaries killing existing resources to not trigger this threshold
2. Creating low volumes of highly expensive compute machines attempting to stay under the radar when it comes to least logs or data generation, using top-notch GPU/CPU components, allowing the attacker to gain much compute power and profit.
3. Abusing Docker's services to deploy custom or default containers with crypto mining payloads, using public penetration tools, such as Peirates to attack some CSP functions and Kubernetes instances. We've already seen these techniques being used by [TeamTNT that was researched](https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments/) by Unit 42 from Palo Alto Networks.

## **Agent or Agentless Detection?** **I'll Have Both Please**

Dealing with such scenarios can be pretty difficult as many legitimate operations, such as auto scaling services and casual testing with multiple compute resources, produce similar behavior patterns as attacks. On the other hand, adversaries are constantly trying to improve their techniques, attack surface, and evasion techniques, which can be fairly hard to cope with.

Like most human beings, adversaries do not like to lose money so they always think about creative ways to bypass security detection and mitigation, like:

1. Using **proxy to hide mining pools** that are already known as some sort of blacklist/watchlist of security vendors, mainly when it comes to network or DNS data detection, which was already reported by [Unit 42 from Palo Alto Networks](https://unit42.paloaltonetworks.com/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/).
2. **Encrypting mining traffic**, it will bypass most network detection features that rely on the transmitted payload inspection, enabling SSL/TLS to be supported by various mining protocols, such as Ethereum.
3. Attempting to break the EDR agent by **excluding their processes** or **invoking their payloads using LOLBIN-like** processes, [GTFOBins](https://gtfobins.github.io/) is a commonly known source to retrieve images that do not exists on the victim machine, bypasses most EDR solutions that rely on process whitelisting, which was already reported in [Unit 42 from Palo Alto Networks](https://unit42.paloaltonetworks.com/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/) blog post as well. Also, there are cases where adversaries attempt to **abuse cloud-based agents** to avoid detections, previously [seen against a popular cloud provider](https://www.bleepingcomputer.com/news/security/alibaba-ecs-instances-actively-hijacked-by-cryptomining-malware/).

Cortex XDR Research team has developed multiple ways to protect against cryptojacking, starting**with cloud protection** that enables customers to tackle these exact scenarios by learning the environment relationships and behaviors. As a result, Cortex XDR can detect cryptojacking even if adversaries attempt to bypass endpoint security measures. Cortex XDR Cloud will detect activities such as suspicious allocation of compute resources, notifying the SOC team of a potential attack.

![Caption: XCloud feature triggers on suspicious Cryptomining activity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-52.png)

*XCloud feature triggers on suspicious Cryptomining activity*

On the other hand, our **EDR agent has a unique feature** that breaks down network protocols and identifies most cryptominers out there, without evaluating the process or the driver that launches these operations, allowing our clients to stop most cryptocurrency miners available today. This can be a huge differentiation factor when it comes to evasive miners that limit the resources consumption to avoid detection.

![Caption: Behavioral network detection triggers on mining activity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-53.png)

*Behavioral network detection triggers on mining activity*

## **Considerations When Investigating a Potential Attack**

Containing and recovering from a cryptojacking attack can be stressful. However, there are a few questions you can ask yourself during an investigation that can simplify the response process and minimize the risk of disrupting legitimate activity.

Once you discover that the identity and resources are compromised, you must contain attacks either by limiting access, blocking, stopping resources, disabling user accounts or performing other actions, to avoid more damage or money loss.

Starting from the possible compromised identity that created the resources, these are some steps to take when investigating incidents:

1. Which geolocation/ASN were the commands executed from? Is it usual for your organization?
2. Are there any other alerts that relate to this identity? Mainly ones that will increase our confidence, such as enumeration, discovery, or persistence.

From a resources perspective:

1. Are compute instances normally created in this region?
2. Are the machine classes that were created normally used within your organization?
3. Which images were deployed? Were they customized? Are there any indications of what content or script was running there?

## **Where Are We Heading?**

Today, Cortex XDR blocks cryptojacking malware through its threat prevention stack, which includes AI-driven local analysis, Behavioral Threat Protection, exploit prevention and more. However, it's challenging to stop cryptojacking attacks that start with compromised credentials and don't involve traditional malware. Even if Cortex XDR detects mining behavior, does this detection ensure you can stop attacks before the damage is done?

If your SOC team is highly responsive and professional then, yes. The quicker your team responds to an alert, the less money is lost. We know, though, that the best solution would be to block this activity automatically---if we could do so without blocking legitimate activity.

Our research team is working on different approaches across the Cortex portfolio of products to help automate response when cryptojacking activity is detected, even if the attack originated with compromised credentials. Our goal is to provide customers with granular controls and innovative, new analytics methods that block any type of cryptojacking attack without stopping authorized activity.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://origin-researchcenter.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Names Palo Alto Networks a Leader in XDR](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Data Expertise Is the Foundation of Good Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/2022/07/the-foundation-of-good-threat-detection/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Exploring Protection Tests in MITRE Round 4: Not All Prevention is Created Equal](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/exploring-protection-tests-in-mitre-round-4-not-all-prevention-is-created-equal/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Cortex XDR and 2021/2022 Forrester Wave Results](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xdr-and-2021-2022-forrester-wave-results/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://origin-researchcenter.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language