{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/palo-alto-networks/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Cortex XDR","Cortex XSIAM","Unit 42 Frontier AI Defense","Prisma Cloud","Cortex XSOAR","Cortex Xpanse","Prisma SASE","Prisma Access","Prisma SD-WAN"],"_cs_severities":["high"],"_cs_tags":["cloud-security","iam","incident-response","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eThe 2026 Unit 42 Global Incident Response Report highlights that threat actors are moving 4x faster to exfiltration than in 2025, exploiting blind spots due to an over-reliance on endpoint data. The proliferation of cloud services, microservices, and remote users has expanded the attack surface beyond what any single tool can monitor. Unit 42 found that in 75% of incidents, critical evidence was present in logs but wasn\u0026rsquo;t accessible or operationalized, allowing attackers to exploit the gaps. Organizations need to evolve their SOCs to ingest and correlate telemetry across their entire IT landscape, including IAM, cloud assets, OT/IoT, and AI workloads. Unit 42 recommends a single-pane-of-glass strategy powered by an AI-driven SOC platform like Cortex XSIAM to combat these threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Cloud Misconfiguration:\u003c/strong\u003e The attacker gains initial access through a misconfigured cloud service access key.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCloud Console Manipulation:\u003c/strong\u003e The attacker manipulates the cloud console to hide their tracks from endpoint detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePivot to Cloud-Hosted Server:\u003c/strong\u003e From the cloud console, the attacker pivots to a cloud-hosted server to begin discovery.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft (Covert C2):\u003c/strong\u003e The attacker utilizes DNS tunneling to a cloud storage location for C2 communication and steals credentials to use legitimate applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally using the stolen credentials, triggering impossible travel alerts across SaaS apps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRogue Asset Introduction:\u003c/strong\u003e The attacker introduces a rogue device into the network, bypassing traditional endpoint security measures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains persistence through the rogue device, using it for covert movement and access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrates sensitive data, taking advantage of the gaps in security visibility.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOrganizations are increasingly vulnerable to rapid data exfiltration due to the expanded attack surface and reliance on endpoint-centric security. The inability to correlate telemetry across diverse IT zones allows attackers to operate undetected, leading to significant data breaches, financial losses, and reputational damage. Unit 42\u0026rsquo;s research shows that attackers are moving 4x faster to exfiltration, exacerbating the impact of successful intrusions. The attacks target cloud environments, identity systems, and networks, creating a complex threat landscape for security teams to navigate.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest and correlate telemetry from all IT zones (IAM, cloud, OT/IoT, AI workloads) into a single repository, as described in the overview, to eliminate data silos and gain holistic visibility.\u003c/li\u003e\n\u003cli\u003eImplement User and Entity Behavior Analytics (UEBA) as mentioned in the overview, to detect anomalous behavior indicative of compromised credentials by using a centralized workbench.\u003c/li\u003e\n\u003cli\u003eDeploy Cortex XSIAM, as discussed in the overview, to leverage AI-driven alert stitching, ML-based incident scoring, and UEBA for automated detection, investigation, and response.\u003c/li\u003e\n\u003cli\u003eImplement continuous network monitoring and external attack surface management to detect and manage rogue assets, as highlighted in the attack chain.\u003c/li\u003e\n\u003cli\u003eEvaluate your current visibility through a formal assessment as recommended in the conclusion, to identify gaps in security coverage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T23:13:22Z","date_published":"2026-05-01T23:13:22Z","id":"/briefs/2026-06-detection-beyond-endpoint/","summary":"Threat actors are rapidly exfiltrating data by exploiting blind spots created by an over-reliance on endpoint data, necessitating a comprehensive security approach that incorporates cloud, identity, and network telemetry for effective threat detection and response.","title":"Expanding Detection Beyond Endpoints to Counter Evolving Threats","url":"https://feed.craftedsignal.io/briefs/2026-06-detection-beyond-endpoint/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hickory-recursor","hickory-resolver"],"_cs_severities":["medium"],"_cs_tags":["dns","cache-poisoning","zone-delegation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks","Hickory DNS"],"content_html":"\u003cp\u003eThe Hickory DNS project\u0026rsquo;s experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate, now integrated into \u003ccode\u003ehickory-resolver\u003c/code\u003e under the \u003ccode\u003erecursor\u003c/code\u003e feature, contains a vulnerability in its DNS record cache (\u003ccode\u003eDnsLru\u003c/code\u003e). The cache stores records based on the record\u0026rsquo;s name and type, rather than the originating query. This design flaw allows for cross-zone cache poisoning because the \u003ccode\u003ecache_response()\u003c/code\u003e function chains \u003ccode\u003eANSWER\u003c/code\u003e, \u003ccode\u003eAUTHORITY\u003c/code\u003e, and \u003ccode\u003eADDITIONAL\u003c/code\u003e sections into a single record iterator during insertion. The bailiwick filter uses the zone context of the NS pool that serviced the lookup, leading to improper validation of records from sibling zones. This issue affects all published versions of the experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate prior to its integration into \u003ccode\u003ehickory-resolver\u003c/code\u003e 0.26.0. Users of the \u003ccode\u003ehickory-dns\u003c/code\u003e binary configured with the \u003ccode\u003erecursor\u003c/code\u003e feature are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers the domain \u003ccode\u003eattacker.poc.\u003c/code\u003e and sets up a malicious nameserver.\u003c/li\u003e\n\u003cli\u003eHickory DNS server queries the nameserver for \u003ccode\u003eattacker.poc.\u003c/code\u003e to build its NS pool.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver responds with an \u003ccode\u003eAUTHORITY\u003c/code\u003e section that includes a malicious record delegating a sibling zone, such as \u003ccode\u003evictim.poc.\u003c/code\u003e, to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Hickory DNS server\u0026rsquo;s bailiwick check incorrectly validates the malicious \u003ccode\u003evictim.poc. NS ns.evil.poc.\u003c/code\u003e record because \u003ccode\u003evictim.poc.\u003c/code\u003e is a subdomain of the parent zone \u003ccode\u003epoc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious NS record for \u003ccode\u003evictim.poc.\u003c/code\u003e is stored in the cache, keyed by \u003ccode\u003e(victim.poc., NS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA client queries the Hickory DNS server for a name within the \u003ccode\u003evictim.poc.\u003c/code\u003e zone.\u003c/li\u003e\n\u003cli\u003eHickory DNS server builds its NS pool for \u003ccode\u003evictim.poc.\u003c/code\u003e using the poisoned cache entry, directing queries to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver now receives queries intended for the legitimate \u003ccode\u003evictim.poc.\u003c/code\u003e nameserver, allowing the attacker to intercept and manipulate DNS resolution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to redirect DNS queries for a target domain to an attacker-controlled nameserver. This can lead to various malicious activities, including phishing attacks, man-in-the-middle attacks, and the distribution of malware. The vulnerability affects any system using Hickory DNS with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled, potentially impacting a wide range of users relying on the resolver for DNS resolution. If the targeted domain is critical for service delivery (e.g., email, web), the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ehickory-resolver\u003c/code\u003e version 0.26.0 or later with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled to address the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-83hf-93m4-rgwq\"\u003ehttps://github.com/advisories/GHSA-83hf-93m4-rgwq\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the \u003ccode\u003erecursor\u003c/code\u003e feature in \u003ccode\u003ehickory-dns\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected NS record changes, focusing on \u003ccode\u003eAUTHORITY\u003c/code\u003e sections of DNS responses, using a custom rule based on your environment and typical DNS configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:10:58Z","date_published":"2026-04-30T18:10:58Z","id":"/briefs/2024-11-hickory-dns-poisoning/","summary":"The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.","title":"Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation","url":"https://feed.craftedsignal.io/briefs/2024-11-hickory-dns-poisoning/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed — Palo Alto Networks","version":"https://jsonfeed.org/version/1.1"}