Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

翻译：高级持续性威胁（APT）是当前最具威胁性的攻击形式，因其可在长时间内保持隐蔽。对手模拟是一种针对此类攻击的主动防御方法。然而，现有对手模拟工具缺乏APT所具备的反检测能力。为此，我们提出Laccolith——一种基于Hypervisor的具备反检测能力的对手模拟方案，以填补这一空白。我们通过实验研究，将Laccolith与当前最先进的对手模拟方案MITRE CALDERA进行对比，测试其对抗五款主流反病毒产品的表现。结果表明，即使结合了最先进的反检测框架，CALDERA仍无法规避检测，从而限制了模拟攻击的真实性。我们的实验证实，Laccolith能够向所有受测反病毒产品隐藏其活动，因而适用于高真实度模拟场景。