Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
GPT-4o
Gemini 2.5 Pro Pro
o3 Pro
GPT-4.1 Pro
DeepSeek R1 via Azure Pro
2000 character limit reached

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection (2311.08274v3)

Published 14 Nov 2023 in cs.CR and cs.OS

Abstract: Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. Symantec Security Response, “W32.Stuxnet Dossier,” https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en.
  2. Citizen Lab, “Tracking GhostNet: Investigating a Cyber Espionage Network,” https://citizenlab.ca/wp-content/uploads/2017/05/ghostnet.pdf.
  3. Kaspersky, “Carbanak APT: The Great Bank Robbery,” https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf.
  4. Mandiant, “M-Trends 2021,” https://www.mandiant.com/resources/m-trends-2021.
  5. A. Applebaum, D. Miller, B. E. Strom, C. Korban, and R. Wolf, “Intelligent, automated red team emulation,” Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016.
  6. P. Zilberman, R. Puzis, S. Bruskin, S. Shwarz, and Y. Elovici, “Sok: A survey of open-source threat emulators,” arXiv preprint arXiv:2003.01518, 2020.
  7. Hoang Bui, “Bypass EDR’s memory protection, introduction to hooking,” https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6.
  8. Binarly, “Design issues of modern EDRs: bypassing ETW-based solutions,” https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html.
  9. Cornelis De Plaa, “Bypass EDR’s memory protection, introduction to hooking,” https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/.
  10. Evan Pena and Casey Erikson, “Staying Hidden on the Endpoint: Evading Detection with Shellcode,” https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.
  11. InfoSec, “Evade EDR with Shellcode Injection and gain persistence using Registry Run Keys,” https://infosecwriteups.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a.
  12. Spot the Planet, “Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs,” https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.
  13. CyberStruggle, “FireEye EDR Bypassed with Basic Process Injection,” https://cyberstruggle.org/fireeye-edr-bypassed-with-basic-process-injection/.
  14. Red Canary, “Atomic Red Team,” https://atomicredteam.io/.
  15. CyberMonitor, “Invoke-Adversary,” https://github.com/CyberMonitor/Invoke-Adversary.
  16. klezVirus, “Inceptor,” https://github.com/klezVirus/inceptor.
  17. M. M. Yamin, B. Katt, and V. Gkioulos, “Cyber ranges and security testbeds: Scenarios, functions, tools and architecture,” Computers & Security, vol. 88, p. 101636, 2020.
  18. R. Beuran, D. Tang, C. Pham, K.-i. Chinen, Y. Tan, and Y. Shinoda, “Integrated framework for hands-on cybersecurity training: Cytrone,” Computers & Security, vol. 78, pp. 43–59, 2018.
  19. P. Čeleda, J. Čegan, J. Vykopal, D. Tovarňák et al., “Kypo–a platform for cyber defence exercises,” M&S Support to Operational Tasks Including War Gaming, Logistics, Cyber Defence. NATO Science and Technology Organization, 2015.
  20. J. Wroclawski, T. Benzel, J. Blythe, T. Faber, A. Hussain, J. Mirkovic, and S. Schwab, “Deterlab and the deter project,” The GENI Book, pp. 35–62, 2016.
  21. B. Ferguson, A. Tall, and D. Olsen, “National cyber range overview,” in 2014 IEEE Military Communications Conference.   IEEE, 2014, pp. 123–128.
  22. B. E. Strom, J. A. Battaglia, M. S. Kemmerer, W. Kupersanin, D. P. Miller, C. Wampler, S. M. Whitley, and R. D. Wolf, “Finding cyber threats with att&ck-based analytics,” The MITRE Corporation, Bedford, MA, Technical Report No. MTR170202, 2017.
  23. M. Corporation, “MITRE ATT&CK,” https://attack.mitre.org/.
  24. B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” in Technical report.   The MITRE Corporation, 2018.
  25. CTID, “OilRig Adversary Plan,” https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/oilrig.
  26. CTID, “OilRig Intelligence Summary,” https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Intelligence_Summary.md.
  27. M. Engenuity, “Center for threat-informed defense,” https://ctid.mitre-engenuity.org/.
  28. Cyware, “APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations,” https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae.
  29. Mandiant, “New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit,” https://www.mandiant.com/resources/blog/targeted-attack-in-middle-east-by-apt34.
  30. Malwarebytes Labs, “APT34 targets Jordan Government using new Saitama backdoor,” https://www.malwarebytes.com/blog/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor.
  31. MITRE, “Phishing, T1566,” https://attack.mitre.org/techniques/T1566/.
  32. MITRE, “User Execution: Malicious File, T1204.002,” https://attack.mitre.org/techniques/T1204/002/.
  33. MITRE, “Account Discovery, T1087,” https://attack.mitre.org/techniques/T1087/.
  34. MITRE, “OS Credential Dumping, T1003,” https://attack.mitre.org/techniques/T1003/.
  35. MITRE, “Use Alternate Authentication Material: Pass the Hash, T1550.002,” https://attack.mitre.org/techniques/T1550/002/.
  36. MITRE, “Exfiltration Over Alternative Protocol, T1048,” https://attack.mitre.org/techniques/T1048/.
  37. MITRE, “CALDERA,” https://github.com/mitre/caldera.
  38. D. Hendler, S. Kels, and A. Rubin, “Amsi-based detection of malicious powershell code using contextual embeddings,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 2020, pp. 679–693.
  39. klezVirus, “Inceptor – Bypass AV-EDR solutions combining well-known techniques,” https://github.com/klezVirus/inceptor/blob/main/slides/Inceptor%20-%20Bypass%20AV-EDR%20solutions%20combining%20well%20known%20techniques.pdf.
  40. K. Schoonover, E. Michalak, S. Harris, A. Gausmann, H. Reinbolt, D. R. Tauritz, C. Rawlings, and A. S. Pope, “Galaxy: a network emulation framework for cybersecurity,” in 11th {{\{{USENIX}}\}} Workshop on Cyber Security Experimentation and Test ({{\{{CSET}}\}} 18), 2018.
  41. D. Kouril, T. Rebok, T. Jirsik, J. Cegan, M. Drasar, M. Vizváry, and J. Vykopal, “Cloud-based testbed for simulation of cyber attacks,” in 2014 IEEE Network Operations and Management Symposium (NOMS).   IEEE, 2014, pp. 1–6.
  42. R. Dhaya, R. Kanthavel, and K. Venusamy, “Dynamic secure and automated infrastructure for private cloud data center,” Annals of Operations Research, pp. 1–21, 2021.
  43. N. Regola, N. V. Chawla et al., “Storing and using health data in a virtual private cloud,” Journal of medical Internet research, vol. 15, no. 3, p. e2076, 2013.
  44. T. Garfinkel, M. Rosenblum et al., “A virtual machine introspection based architecture for intrusion detection.” in Ndss, vol. 3.   San Diego, CA, 2003, pp. 191–206.
  45. Microsoft, “API reference docs for Windows Driver Kit (WDK),” https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/.
  46. Intel, “XCHG - Exchange Register/Memory with Register,” https://www.cs.princeton.edu/courses/archive/spr18/cos217/reading/x86-64-2.pdf.
  47. Zerosum0x0, “”Heresy’s Gate”: Kernel Zw*/NTDLL Scraping + ”Work Out”: Ring 0 to Ring 3 via Worker Factories,” https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html#workout.
  48. Zerosum0x0, “Zerosum0x0 GitHub repository,” https://github.com/zerosum0x0-archive/archive.
  49. Qemu, “Qemu,” https://www.qemu.org/.
  50. LibVirt, “LibVirt,” https://libvirt.org/.
  51. RedHat, “Linux-KVM,” https://www.linux-kvm.org/page/Main_Page.
  52. Volatility Foundation, “Volatility,” https://www.volatilityfoundation.org/.
  53. M. Botacin, F. D. Domingues, F. Ceschin, R. Machnicki, M. A. Z. Alves, P. L. de Geus, and A. Grégio, “Antiviruses under the microscope: A hands-on perspective,” Computers & Security, vol. 112, p. 102500, 2022.
  54. Markus Fleschutz, “Collection of Powershell scripts,” https://github.com/fleschutz/PowerShell/blob/master/Scripts/encrypt-file.ps1.
  55. Microsoft, “Microsoft Defender SmartScreen,” https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.
  56. Microsoft, “Microsoft Defender Application Guard overview,” https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.
  57. Ege Balci, “Shikata-Ga-Nai,” https://github.com/EgeBalci/sgn.
  58. Mandiant, “Shikata Ga Nai Encoder Still Going Strong,” https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong.
  59. Paranoid Ninja, “CarbonCopy,” https://github.com/paranoidninja/CarbonCopy.
  60. B. Caffo, “Statistical inference for data science,” British Columbia, UK: Leanpub, 2016.
  61. Endgame Inc., “Red Team Automation,” https://github.com/endgameinc/RTA.
  62. Nextron Systems GmbH, “APTSimulator,” https://github.com/NextronSystems/APTSimulator.
  63. Guardicore, “Infection Monkey,” https://www.guardicore.com/infectionmonkey/.
  64. Uber Technologies Inc, “Metta,” https://github.com/uber-common/metta.
  65. TryCatchHCF, “DumpsterFire,” https://github.com/TryCatchHCF/DumpsterFire.
  66. Bishop Fox, “Sliver,” https://github.com/BishopFox/sliver.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Follow-up Questions

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now