What starting position does this attack require?

The first step is Move laterally via cloud APIs (T1078) — a initial access primitive. Assumed environment: an endpoint accepts XML input (SAML, SOAP, document upload, RSS importer).

What is the final impact of this kill-chain?

The final step lands on XXE → SSRF (SYSTEM "http://169.254.169.254") (W-XXE-SSRF), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

XXE → SSRF → IMDS → cloud creds

XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Move laterally via cloud APIs

T1078 · Valid Accounts

Credential Access

Recover IAM credentials

T1552 · Unsecured Credentials

Reconnaissance

Find XML-accepting endpoint

W-RECON-API-DISCO · API Endpoint Discovery

Lateral Movement

Read IMDS via parameter entity exfil

W-SSRF-IMDS · SSRF → Cloud IMDS

Lateral Movement

Confirm XXE via OOB callback

W-XXE-BLIND-OOB · Blind XXE — Out-of-Band Exfil

Lateral Movement

XXE → SSRF (SYSTEM "http://169.254.169.254")

W-XXE-SSRF · XXE → SSRF

§ Context

Assumed environment: an endpoint accepts XML input (SAML, SOAP, document upload, RSS importer). XML parser doesn't disable DOCTYPE / external entities.

§ Steps

01
Move laterally via cloud APIsInitial Access
T1078— Valid Accounts
02
Recover IAM credentialsCredential Access
T1552— Unsecured Credentials
03
Find XML-accepting endpointReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
04
Read IMDS via parameter entity exfilLateral Movement
W-SSRF-IMDS— SSRF → Cloud IMDS
05
Confirm XXE via OOB callbackLateral Movement
W-XXE-BLIND-OOB— Blind XXE — Out-of-Band Exfil
06
XXE → SSRF (SYSTEM "http://169.254.169.254")Lateral Movement
W-XXE-SSRF— XXE → SSRF

§ References

T1078Valid Accounts
T1552Unsecured Credentials

§ Frequently asked

What is the "XXE → SSRF → IMDS → cloud creds" attack path?: XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Move laterally via cloud APIs (T1078) — a initial access primitive. Assumed environment: an endpoint accepts XML input (SAML, SOAP, document upload, RSS importer).
What is the final impact of this kill-chain?: The final step lands on XXE → SSRF (SYSTEM "http://169.254.169.254") (W-XXE-SSRF), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

XXE → SSRF → IMDS → cloud creds

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

SSRF → IMDS → cloud creds → lateral

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

Spectre-class side-channel → cross-tenant memory leak

Open MQTT broker → smart-estate takeover

Exported ContentProvider → private data leak