Threat Hunting Notes: Detecting XXE Abuse
While partnering with the DevOps group on eliminating XML External Entity (XXE) bugs, I also built a detection playbook to catch real-world exploitation. Internal services often run with elevated permissions, so even a low-volume XXE probe can give an attacker high-impact secrets. Below is the stack we assembled to watch for abuse without drowning the SOC in false positives. Telemetry sources. We forward the reverse proxy logs, application structured logs, Falco alerts, and AWS CloudTrail events into our SIEM. XXE attempts typically include three telltale signs: <!DOCTYPE declarations, outbound calls to the metadata service (169.254.169.254), and errors linked to unexpected entity expansion. Capturing all three lets us correlate attempts to a specific service or user. ...