核心概念
Laccolith is a hypervisor-based solution that enables the non-detectable execution of malicious actions during adversary emulation, overcoming the limitations of existing tools.
要約
The paper introduces Laccolith, a novel hypervisor-based architecture for adversary emulation with anti-detection capabilities. The key insights are:
Existing adversary emulation tools, such as MITRE CALDERA, lack the anti-detection abilities of Advanced Persistent Threats (APTs), limiting the realism of emulated attacks. Turning off antivirus (AV) products during emulation is not a viable solution in critical domains.
Laccolith leverages the hypervisor's privileged access to the virtual machine's memory to inject a kernel-level emulation agent that can perform malicious actions without being detected by AV products. This is achieved by executing actions directly from the kernel, bypassing the security checks performed by AV solutions.
The authors conducted an experimental analysis comparing Laccolith with MITRE CALDERA and atomic tools (Atomic Red Team, Invoke-Adversary) against five popular AV products. The results show that CALDERA and the atomic tools cannot evade detection, while Laccolith was able to execute all malicious actions without triggering any AV alerts.
Laccolith provides flexibility in configuring which actions should be executed stealthily or detectably, enabling realistic emulation scenarios where the blue team can analyze the system state and learn from the emulated attack.