first commit

stix/apt-proxyautodetect-technique.json

@@ -0,0 +1,26 @@
+{
+  "type": "attack-pattern",
+  "spec_version": "2.1",
+  "id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
+  "created": "2025-06-20T00:00:00Z",
+  "modified": "2025-06-20T00:00:00Z",
+  "name": "APT ProxyAutoDetect Abuse for Execution",
+  "description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
+  "x_mitre_platforms": ["Linux"],
+  "x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
+  "x_mitre_permissions_required": ["root"],
+  "x_mitre_data_sources": [
+    "Process monitoring",
+    "File monitoring",
+    "Command execution"
+  ],
+  "kill_chain_phases": [
+    {
+      "kill_chain_name": "mitre-attack",
+      "phase_name": "persistence"
+    }
+  ],
+  "x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
+  "x_mitre_version": "1.0",
+  "x_mitre_contributors": ["Phillip John Tarrant"]
+}