APT ProxyAutoDetect Persistence (PoC)
This repository demonstrates a technique for achieving execution and persistence by abusing an undocumented feature in the Advanced Packaging Tool (APT) on Debian-based Linux systems.
🔍 Technique Summary
APT supports an undocumented config directive:
Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";
If placed in a file inside /etc/apt/apt.conf.d/, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during apt update, apt install, etc.).
stdoutof the binary is treated as the proxy URL.stderris shown to the user but ignored.- No arguments are allowed — only absolute binary paths.
🎯 Use Cases
- Persistence: Binary is run every time APT is used, including via automated scripts or cron.
- Execution: Runs code covertly under a legitimate process tree (
apt→ custom binary). - Defense Evasion: Doesn’t rely on systemd, cron, or shell profile files.
⚙️ Demo Setup
-
Install the config and script:
This copies the config and shell script to /etc/apt/apt.conf.d/
sudo ./install.sh -
Run
apt update:sudo apt update
🧬 MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Persistence | [T1546] Event Triggered Execution |
| Execution | [T1546.008] Application Shimming (analogous) |
| Defense Evasion | [T1565.001] Stored Data Manipulation |
📩 Disclosure
This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.
🔐 Author
Phillip Tarrant
https://www.linkedin.com/in/phillip-tarrant-cyber/