English

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

Cryptography and Security 2024-04-30 v3 Operating Systems

Abstract

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

Keywords

Cite

@article{arxiv.2311.08274,
  title  = {Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection},
  author = {Vittorio Orbinato and Marco Carlo Feliciano and Domenico Cotroneo and Roberto Natella},
  journal= {arXiv preprint arXiv:2311.08274},
  year   = {2024}
}
R2 v1 2026-06-28T13:20:54.241Z