apt-detonate/README.md

# APT ProxyAutoDetect Persistence (PoC)

This repository demonstrates a technique for achieving execution and persistence by abusing an **undocumented feature** in the Advanced Packaging Tool (APT) on Debian-based Linux systems.

---

## 🔍 Technique Summary

APT supports an undocumented config directive:

    Acquire::http::ProxyAutoDetect "/absolute/path/to/binary";

If placed in a file inside `/etc/apt/apt.conf.d/`, APT will execute the specified binary whenever it attempts to access an HTTP repository (e.g., during `apt update`, `apt install`, etc.).

- `stdout` of the binary is treated as the proxy URL.
- `stderr` is shown to the user but ignored.
- No arguments are allowed — only absolute binary paths.

---

## 🎯 Use Cases

- **Persistence**: Binary is run every time APT is used, including via automated scripts or cron.
- **Execution**: Runs code covertly under a legitimate process tree (`apt` → custom binary).
- **Defense Evasion**: Doesn’t rely on systemd, cron, or shell profile files.

---

## ⚙️ Demo Setup

1. Install the config and script:

    # This copies the config and shell script to /etc/apt/apt.conf.d/
    ```
    sudo ./install.sh
    ```

2. Run `apt update`:

    ```
    sudo apt update
    ```

---

## 🧬 MITRE ATT&CK Mapping

| Tactic          | Technique                                      |
|-----------------|------------------------------------------------|
| Persistence     | [T1546] Event Triggered Execution              |
| Execution       | [T1546.008] Application Shimming (analogous)  |
| Defense Evasion | [T1565.001] Stored Data Manipulation           |

---

## 📩 Disclosure

This issue has been reported to the MITRE ATT&CK team for inclusion as a technique or sub-technique.

---

## 🔐 Author

Phillip Tarrant  
[https://www.linkedin.com/in/phillip-tarrant-cyber/](https://www.linkedin.com/in/phillip-tarrant-cyber/)