27 lines
1.2 KiB
JSON
27 lines
1.2 KiB
JSON
{
|
|
"type": "attack-pattern",
|
|
"spec_version": "2.1",
|
|
"id": "attack-pattern--4cba5eeb-0031-47d3-9390-9f4fa6b57f88",
|
|
"created": "2025-06-20T00:00:00Z",
|
|
"modified": "2025-06-20T00:00:00Z",
|
|
"name": "APT ProxyAutoDetect Abuse for Execution",
|
|
"description": "Adversaries may abuse the undocumented Acquire::http::ProxyAutoDetect directive in APT by placing a config file that points to a local binary. This binary is executed whenever APT accesses an HTTP repository, allowing for stealthy persistence and execution.",
|
|
"x_mitre_platforms": ["Linux"],
|
|
"x_mitre_tactics": ["persistence", "execution", "defense-evasion"],
|
|
"x_mitre_permissions_required": ["root"],
|
|
"x_mitre_data_sources": [
|
|
"Process monitoring",
|
|
"File monitoring",
|
|
"Command execution"
|
|
],
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "persistence"
|
|
}
|
|
],
|
|
"x_mitre_detection": "Monitor /etc/apt/apt.conf.d/ for unusual files. Look for Acquire::http::ProxyAutoDetect values pointing to local binaries. Detect apt-spawned processes that are not part of expected behavior.",
|
|
"x_mitre_version": "1.0",
|
|
"x_mitre_contributors": ["Phillip John Tarrant"]
|
|
}
|