Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

翻译：高级持续性威胁（Advanced Persistent Threats, APTs）是当前最具威胁性的攻击形式，因其能够长时间保持隐蔽。对手仿真是一种应对此类攻击的主动方法。然而，现有对手仿真工具缺乏APTs所具备的反检测能力。我们提出Laccolith，一种基于虚拟机监控器的解决方案，用于实现具备反检测功能的对手仿真，以填补这一空白。我们还开展了一项实验研究，将Laccolith与当前最先进的对手仿真方案MITRE CALDERA进行对比，测试其面对五款主流反病毒产品的表现。研究发现，即使结合最先进的反检测框架，CALDERA仍无法规避检测，这限制了仿真攻击的真实性。我们的实验表明，Laccolith能够对所有测试的反病毒产品隐藏其活动，因此适用于高真实度的仿真场景。