Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

Vittorio Orbinato, Marco Carlo Feliciano, Domenico Cotroneo, Roberto Natella

TL;DR

Laccolith tackles the challenge of realistic adversary emulation by enabling anti-detection capabilities at the hypervisor level, addressing the dwell-time problem of APTs. It introduces a full-stack architecture with a central emulation manager, a hypervisor-based emulation server, and a kernel-space emulation agent injected into guests via a VM introspection-driven two-stage shellcode chain. The work provides a working prototype on QEMU/KVM with Windows guests, and presents a thorough experimental comparison against MITRE CALDERA (with and without anti-detection) and atomic toolkits across five AV products, showing Laccolith’s superiority in evading detection and enabling complete adversary-profile progress. The findings imply significant practical impact for cyber-range exercises and defense training, offering realistic emulations without disabling AV/EDR protections, while recognizing limitations to Windows and current hypervisor support that motivate future generalization and optimization.

Abstract

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

TL;DR

Laccolith tackles the challenge of realistic adversary emulation by enabling anti-detection capabilities at the hypervisor level, addressing the dwell-time problem of APTs. It introduces a full-stack architecture with a central emulation manager, a hypervisor-based emulation server, and a kernel-space emulation agent injected into guests via a VM introspection-driven two-stage shellcode chain. The work provides a working prototype on QEMU/KVM with Windows guests, and presents a thorough experimental comparison against MITRE CALDERA (with and without anti-detection) and atomic toolkits across five AV products, showing Laccolith’s superiority in evading detection and enabling complete adversary-profile progress. The findings imply significant practical impact for cyber-range exercises and defense training, offering realistic emulations without disabling AV/EDR protections, while recognizing limitations to Windows and current hypervisor support that motivate future generalization and optimization.

Abstract

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.
Paper Structure (19 sections, 2 equations, 5 figures, 10 tables)

This paper contains 19 sections, 2 equations, 5 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Proposed solution
  4. Overview
  5. Emulation server
  6. Overview of the injection method
  7. Injection method
  8. Emulation agent
  9. Emulation manager
  10. Implementation
  11. Experimental Analysis
  12. Experimental Setup
  13. Detectability evaluation of MITRE CALDERA
  14. Integrating CALDERA with anti-detection
  15. Detectability evaluation of atomic tools
  16. ...and 4 more sections

Figures (5)

  • Figure 1: OilRig Operational Steps. The red dotted arrows represent C2 communication, the black ones the operational steps.
  • Figure 2: Adversary emulation traditional architecture.
  • Figure 3: Laccolith architecture.
  • Figure 4: Injection method in Laccolith.
  • Figure 5: Experimental setup.