Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

翻译：高级持续性威胁（APT）是当前最具威胁性的攻击形式，因其可长期潜伏而不被发现。对抗仿真是一种针对此类攻击的主动防御手段，然而现有对抗仿真工具缺乏APT所具备的防检测能力。为此，我们提出Laccolith——一种基于Hypervisor的混合式解决方案，通过集成防检测机制填补这一空白。我们开展实验研究，将Laccolith与当前最先进的对抗仿真框架MITRE CALDERA进行对比，评估两者对抗五款主流杀毒软件的效果。实验表明，即使结合最先进的防检测框架，CALDERA仍无法规避检测，这限制了仿真攻击的真实性。而Laccolith能够对所有被测杀毒软件隐藏其活动，因此适用于高真实性仿真场景。