Here I collect notes from ongoing security research: code auditing techniques, threat hunting procedures, detection engineering experiments, and practical hardening checklists. The goal is to translate real incidents and assessments into reusable playbooks for fellow defenders.
Threat Hunting Notes: Detecting XXE Abuse
While partnering with the DevOps group on eliminating XML External Entity (XXE) bugs, I also built a detection playbook to catch real-world exploitation. Internal services often run with elevated permissions, so even a low-volume XXE probe can give an attacker high-impact secrets. Below is the stack we assembled to watch for abuse without drowning the SOC in false positives. Telemetry sources. We forward the reverse proxy logs, application structured logs, Falco alerts, and AWS CloudTrail events into our SIEM. XXE attempts typically include three telltale signs: <!DOCTYPE declarations, outbound calls to the metadata service (169.254.169.254), and errors linked to unexpected entity expansion. Capturing all three lets us correlate attempts to a specific service or user. ...