aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 19:54:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Aryma
2026-04-14 12:17:24 +07:00
commit 2f05f67733
799 changed files with 531884 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
documentation-payload/apollo/opsec/_index.md Normal file
View File

@@ -0,0 +1,20 @@
+++
title = "OPSEC"
chapter = true
weight = 10
pre = "<b>1. </b>"
+++
## Table of Contents
Below are considerations about Apollo's underlying behavior that may affect decisions during operation. Use this as a guide to ensure proper OPSEC and avoid detection when using Apollo. Additionally, all artifacts that are generated during task execution are logged by Apollo into Mythic under the Artifacts tab. Review the documentation of each command to determine what artifacts are generated before executing a command.
- [API Resolvers](/agents/apollo/opsec/apiresolvers/)
- [Evasion](/agents/apollo/opsec/evasion/)
- [Fork and Run Commands](/agents/apollo/opsec/forkandrun/)
- [Injection](/agents/apollo/opsec/injection/)
- [Environmental Keying](/agents/apollo/opsec/keying/)
## Example Artifacts
![artifacts](/agents/apollo/opsec/images/artifacts.png)

11
documentation-payload/apollo/opsec/apiresolvers.md Normal file
View File

@@ -0,0 +1,11 @@
+++
title = "API Resolvers"
chapter = false
weight = 102
+++
## Win32 API Resolution
At the time of writing this (1/29/2022), Apollo by default uses a single API resolver to resolve all native Win32 API calls it needs to perform its duties. This resolver is a simple resolver that first checks if the required module is currently loaded into the current process and, if not, loads it. Once the module is loaded it then calls `GetProcAddress` to get a pointer to the requested function.
However, there is a resolver that leverages the [DInvoke](https://github.com/TheWover/DInvoke) project to do all API resolution. Currently, there is no option to enable this from the UI or from agent tasking; however, in the future, this could be modifiable by an operator on build or during tasking. If one wanted to create their own custom API resolver outside of the two mentioned, see the [API Resolvers](/agents/apollo/contributing/apiresolvers/) documentation for how to contribute one.

36
documentation-payload/apollo/opsec/evasion.md Normal file
View File

@@ -0,0 +1,36 @@
+++
title = "Evasion"
chapter = false
weight = 102
+++
## Evasion in Apollo
Apollo has several commands to modify post-exploitation parameters when performing a variety of tasks. These commands are:
- [`spawnto_x64`](/agents/apollo/commands/spawnto_x64/)
- [`spawnto_x86`](/agents/apollo/commands/spawnto_x86/)
- [`ppid`](/agents/apollo/commands/ppid/)
- [`blockdlls`](/agents/apollo/commands/blockdlls/)
- [`get_injection_techniques`](/agents/apollo/commands/get_injection_techniques/)
- [`set_injection_technique`](/agents/apollo/commands/set_injection_technique/)
### SpawnTo Commands
These commands are used to specify what process should be spawned in any [fork and run](/agents/apollo/opsec/forkandrun) tasking, such as [`execute_assembly`](/agents/apollo/commands/execute_assembly). By default, these values are set to `rundll32.exe`.
### Parent Process ID
Sometimes it's desirable to have sacrificial jobs appear as though they were spawned under another parent process besides your own. This prevents attribution of that child process's activities to your currently executing Apollo agent. To change the parent process for all jobs that spawn new processes, issue `ppid [pid]`.
{{% notice warning %}}
Here be dragons! Changing the PPID of processes can cause agent stability issues in some scenarios. For example: You should _never_ change the parent process to a process that is outside your current desktop session.
{{% /notice %}}
### Block DLLs
This prevents non-Microsoft signed DLLs from loading into your child processes. While most EDR software is now signed by Microsoft, this can occasionally help prevent side-loading of unwanted DLLs.
### Injection Technique Management
Apollo has several post-exploitation tasks that leverage process injection. A full discussion of this can be found at the [injection documentation page](/agents/apollo/opsec/injection).

24
documentation-payload/apollo/opsec/forkandrun.md Normal file
View File

@@ -0,0 +1,24 @@
+++
title = "Fork and Run Commands"
chapter = false
weight = 102
+++
## What is Fork and Run?
"Fork and Run" is an agent architecture that spawns sacrificial processes in a suspended state to inject shellcode into.
## Fork and Run in Apollo
Apollo uses the fork and run architecture for a variety of jobs. These jobs will all first spawn a new process specified by the [`spawnto_x86`](/agents/apollo/commands/spawnto_x86) or [`spawnto_x64`](/agents/apollo/commands/spawnto_x64) commands. The parent process of these new processes is specified by the [`ppid`](/agents/apollo/commands/ppid/) command. Once the process is spawned, Apollo will use the currently set injection technique to inject into the remote process.
The following commands use the fork and run architecture:
- [`execute_assembly`](/agents/apollo/commands/execute_assembly/)
- [`mimikatz`](/agents/apollo/commands/mimikatz/)
- [`powerpick`](/agents/apollo/commands/powerpick/)
- [`printspoofer`](/agents/apollo/commands/printspoofer/)
- [`pth`](/agents/apollo/commands/pth/)
- [`dcsync`](/agents/apollo/commands/pth/)
- [`spawn`](/agents/apollo/commands/spawn/)
- [`execute_pe`](/agents/apollo/commands/execute_pe/)

0
documentation-payload/apollo/opsec/images/_index.md Normal file
View File

BIN
documentation-payload/apollo/opsec/images/artifacts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

29
documentation-payload/apollo/opsec/injection.md Normal file
View File

@@ -0,0 +1,29 @@
+++
title = "Process Injection"
chapter = false
weight = 102
+++
## Process Injection in Apollo
Apollo has abstracted process injection into its own project and has the following techniques implemented:
- CreateRemoteThread
- QueueUserAPC (early bird)
- NtCreateThreadEx (via Syscalls)
As an operator, sometimes one injection technique is more desirable than another. To facilitate this, the [`get_injection_techniques`](/agents/apollo/commands/get_injection_techniques) command will list all currently loaded injection techniques the agent knows about. Similarly, [`set_injection_technique`](/agents/apollo/commands/set_injection_technique) will update the currently used injection technique throughout all post-exploitation jobs.
## Commands Leveraging Injection
All of Apollo's [fork and run commands](/agents/apollo/opsec/forkandrun/) use injection to inject into a sacrificial process; however, there are additional commands that inject into other processes. Those commands are:
- [`assembly_inject`](/agents/apollo/commands/assembly_inject/)
- [`inject`](/agents/apollo/commands/inject/)
- [`keylog_inject`](/agents/apollo/commands/keylog/)
- [`psinject`](/agents/apollo/commands/psinject/)
- [`shinject`](/agents/apollo/commands/shinject/)
- [`screenshot_inject`](/agents/apollo/commands/screenshot_inject)
{{% notice info %}}
Some injection techniques are incompatible with the aforementioned commands. For example: If QueueUserAPC is in use, the above commands will fail as it leverages the early bird version of QueueUserAPC, not the APC bombing technique.
{{% /notice %}}

161
documentation-payload/apollo/opsec/keying.md Normal file
View File

@@ -0,0 +1,161 @@
+++
title = "Environmental Keying"
chapter = false
weight = 103
+++
## Environmental Keying in Apollo
Environmental keying is a technique that restricts agent execution to specific systems. If the keying check fails, the agent will exit immediately and silently without executing any code or attempting to connect to the C2 server.
### Purpose
Environmental keying helps protect against:
- Accidental execution on unintended systems
- Sandbox detonation and automated analysis
### Keying Methods
Apollo supports three methods of environmental keying:
#### 1. Hostname Keying
The agent will only execute if the machine's hostname matches the specified value.
**Use Case:** When you know the exact hostname of your target system.
**Example:** If you set the keying value to `WORKSTATION-01`, the agent will only run on a machine with that exact hostname.
**Security:** Secure (hash-based)
#### 2. Domain Keying
The agent will only execute if the machine's domain name matches the specified value. Domain matching is forgiving and checks both the full domain and individual parts.
**Use Case:** When targeting systems within a specific Active Directory domain.
**Example:** If you set the keying value to `CONTOSO`, the agent will match:
- Full domain: `CONTOSO.LOCAL`
- Full domain: `CORP.CONTOSO.COM`
- Domain part: `CONTOSO` (from `CONTOSO.LOCAL`)
- Domain part: `CONTOSO` (from `CORP.CONTOSO.COM`)
This flexibility handles cases where `Environment.UserDomainName` may return different formats (e.g., `CONTOSO` vs `CONTOSO.LOCAL`).
**Security:** Secure (hash-based)
#### 3. Registry Keying
The agent will only execute if a specific registry value matches or contains the specified value. This method offers two comparison modes:
**Matches Mode (Secure - Recommended):**
- Uses SHA256 hash comparison
- The registry value must exactly match the keying value (case-insensitive)
- Hash stored in binary, not plaintext
- More secure but requires exact match
**Contains Mode (WEAK - Use with Caution):**
- Uses plaintext substring comparison
- The registry value must contain the keying value anywhere within it
- ⚠️ **WARNING:** Stores the keying value in **PLAINTEXT** in the binary
- ⚠️ **WARNING:** Easily extracted with strings command
- More flexible but significantly less secure
**Example Matches Mode:**
```
Registry Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
Registry Value: Windows 10 Pro
Comparison: Matches
```
Agent executes only if the ProductName exactly matches "Windows 10 Pro"
**Example Contains Mode (WEAK):**
```
Registry Path: HKLM\SOFTWARE\Company\Product\InstallID
Registry Value: UniqueInstallGUID-12345
Comparison: Contains
```
Agent executes if InstallID contains "UniqueInstallGUID-12345" anywhere in the value
**Registry Path Format:**
`HIVE\SubKey\Path\To\ValueName`
Supported hives:
- `HKLM` or `HKEY_LOCAL_MACHINE`
- `HKCU` or `HKEY_CURRENT_USER`
- `HKCR` or `HKEY_CLASSES_ROOT`
- `HKU` or `HKEY_USERS`
- `HKCC` or `HKEY_CURRENT_CONFIG`
### Configuration
During the agent build process, you can enable keying through the build parameters:
1. **Enable Keying** - Check this box to enable environmental keying
2. **Keying Method** - Select "Hostname", "Domain", or "Registry"
3. **For Hostname/Domain:**
- **Keying Value** - Enter the hostname or domain name to match (case-insensitive)
4. **For Registry:**
- **Registry Path** - Full path including hive, subkey, and value name
- **Registry Value** - The value to check against
- **Registry Comparison** - "Matches" (secure, hash-based) or "Contains" (WEAK, plaintext)
### Implementation Details
- **Hash-Based Storage (Hostname/Domain/Registry-Matches):** The keying value is never stored in plaintext in the agent binary. Instead, a SHA256 hash of the uppercase value is embedded
- **Plaintext Storage (Registry-Contains):** ⚠️ When using Registry keying with "Contains" mode, the value is stored in **plaintext** in the binary - easily extractable
- **Uppercase Normalization:** All values (except Registry-Contains mode) are converted to uppercase before hashing to ensure consistent matching regardless of case
- **Runtime Hashing:** During execution, the agent hashes the current hostname/domain/registry-value and compares it to the stored hash
- **Forgiving Domain Matching:** For domain keying, the agent checks:
1. The full domain name (e.g., `CORP.CONTOSO.LOCAL`)
2. Each part split by dots (e.g., `CORP`, `CONTOSO`, `LOCAL`)
### Example Scenarios
**Scenario 1: Targeted Workstation**
```
Enable Keying: Yes
Keying Method: Hostname
Keying Value: FINANCE-WS-42
```
This agent will only execute on the machine named `FINANCE-WS-42`.
**Scenario 2: Domain-Wide Campaign**
```
Enable Keying: Yes
Keying Method: Domain
Keying Value: CONTOSO
```
This agent will execute on machines where the domain contains `CONTOSO`:
- Machines in domain `CONTOSO`
- Machines in domain `CONTOSO.LOCAL`
- Machines in domain `CORP.CONTOSO.COM`
- Machines in domain `FABRIKAM.COM`
**Scenario 3: Registry Keying (Matches - Secure)**
```
Enable Keying: Yes
Keying Method: Registry
Registry Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
Registry Value: Windows 10 Enterprise
Registry Comparison: Matches
```
This agent will only execute on systems running Windows 10 Enterprise (exact match).
**Scenario 4: Registry Keying (Contains - WEAK)**
```
Enable Keying: Yes
Keying Method: Registry
Registry Path: HKLM\SOFTWARE\YourCompany\CustomApp\InstallID
Registry Value: SecretMarker-ABC123
Registry Comparison: Contains
```
This agent will execute on systems where the registry value contains "SecretMarker-ABC123" anywhere.
⚠️ WARNING: "SecretMarker-ABC123" is stored in plaintext in the binary.
**Scenario 5: No Keying (Default)**
```
Enable Keying: No
```
This agent will execute on any system (traditional behavior).