first commit

README.md

@@ -0,0 +1,65 @@
+# APT ProxyAutoDetect Persistence (PoC)
+
+This repository demonstrates a technique for achieving execution and persistence by abusing an **undocumented feature** in the Advanced Packaging Tool (APT) on Debian-based Linux systems.
+
+---
+
+## 🔍 Technique Summary
+
+APT supports an undocumented config directive:
+
+    Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";
+
+If placed in a file inside `/etc/apt/apt.conf.d/`, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during `apt update`, `apt install`, etc.).
+
+- `stdout` of the binary is treated as the proxy URL.
+- `stderr` is shown to the user but ignored.
+- No arguments are allowed — only absolute binary paths.
+
+---
+
+## 🎯 Use Cases
+
+- **Persistence**: Binary is run every time APT is used, including via automated scripts or cron.
+- **Execution**: Runs code covertly under a legitimate process tree (`apt` → custom binary).
+- **Defense Evasion**: Doesn’t rely on systemd, cron, or shell profile files.
+
+---
+
+## ⚙️ Demo Setup
+
+1. Install the config and script:
+
+    # This copies the config and shell script to /etc/apt/apt.conf.d/
+    ```
+    sudo ./install.sh
+    ```
+
+2. Run `apt update`:
+
+    ```
+    sudo apt update
+    ```
+
+---
+
+## 🧬 MITRE ATT&CK Mapping
+
+| Tactic          | Technique                                      |
+|-----------------|------------------------------------------------|
+| Persistence     | [T1546] Event Triggered Execution              |
+| Execution       | [T1546.008] Application Shimming (analogous)  |
+| Defense Evasion | [T1565.001] Stored Data Manipulation           |
+
+---
+
+## 📩 Disclosure
+
+This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.
+
+---
+
+## 🔐 Author
+
+Phillip Tarrant  
+[https://www.linkedin.com/in/phillip-tarrant-cyber/](https://www.linkedin.com/in/phillip-tarrant-cyber/)