{
  "type": "attack-pattern",
  "spec_version": "2.1",
  "id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
  "created": "2025-06-20T00:00:00Z",
  "modified": "2025-06-20T00:00:00Z",
  "name": "APT ProxyAutoDetect Abuse for Execution",
  "description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
  "x_mitre_platforms": ["Linux"],
  "x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
  "x_mitre_permissions_required": ["root"],
  "x_mitre_data_sources": [
    "Process monitoring",
    "File monitoring",
    "Command execution"
  ],
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "persistence"
    }
  ],
  "x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
  "x_mitre_version": "1.0",
  "x_mitre_contributors": ["Phillip John Tarrant"]
}