# Ares - Advanced Windows Agent

![Ares](documentation-payload/ares/AresLandscape.svg)

Ares is a sophisticated Windows agent designed for advanced red team operations, integrating BlueHammer exploit capabilities with Mythic C2 framework for comprehensive penetration testing and security assessment.

## 🚀 Overview

Ares combines the power of the BlueHammer Windows Defender exploit with a robust Mythic C2 integration, providing:
- Windows Defender bypass capabilities
- SYSTEM privilege escalation
- Multiple persistence mechanisms
- Full Mythic C2 integration
- Advanced evasion techniques

## 📋 Features

### Core Capabilities
- **Windows Defender Bypass**: Leverages BlueHammer exploit to disable security controls
- **SYSTEM Privileges**: Multiple techniques for privilege escalation to NT AUTHORITY\SYSTEM
- **Persistence**: Comprehensive persistence across registry, services, tasks, and startup
- **Mythic C2 Integration**: Full command and control capabilities
- **Encrypted Communication**: AES256 encryption with HMAC integrity

### Advanced Features
- **P2P Communication**: Peer-to-peer agent communication
- **Credential Operations**: Credential tracking and manipulation
- **Code Execution**: Unmanaged PE, .NET Assembly, and PowerShell execution
- **SOCKSv5 Support**: Proxy capabilities for network operations
- **Domain Rotation**: Advanced HTTP profile with proxy support
- **Message Transform**: Base64, NetBIOS, XOR encoding support

## 🛠️ Installation

### Prerequisites
- Mythic C2 server installed on a remote computer
- Windows target systems for deployment
- Python 3.8+ for agent building

### Installation from Mythic

As **root** user:
```bash
./mythic-cli install github https://github.com/MythicAgents/Ares.git
```

As **non-root** user:
```bash
sudo -E ./mythic-cli install github https://github.com/MythicAgents/Ares.git
```

Once installed, restart Mythic to build the agent.

### Manual Building

1. **Clone the repository**:
```bash
git clone https://github.com/MythicAgents/Ares.git
cd Ares
```

2. **Build the agent**:
```bash
python build.py
```

3. **Deploy the agent**:
```bash
python deploy.py
```

## ⚙️ Configuration

### C2 Profile Configuration
Ares supports advanced HTTP profile configuration:

```json
{
    "c2_profile": "http",
    "callback_host": "http://your-c2-server.com",
    "callback_port": 80,
    "callback_interval": 10,
    "callback_jitter": 23,
    "headers": {
        "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
    },
    "AESPSK": {
        "enc_key": "your-encryption-key",
        "dec_key": "your-decryption-key",
        "value": "aes256_hmac"
    }
}
```

### Build Parameters

```json
{
    "output_type": "WinExe",
    "filename": "win-update.exe",
    "debug": true,
    "shellcode_bypass": "Continue on fail",
    "enable_keying": false
}
```

## 🎯 Usage

### Agent Execution

Execute the agent on target systems:
```cmd
win-update.exe
```

### Command Examples

#### Windows Defender Bypass
```bash
bypass_defender
```

#### Privilege Escalation
```bash
getsystem
```

#### Persistence Establishment
```bash
establish_persistence
```

#### File Operations
```bash
# Download file
download -Path C:\sensitive\file.txt

# Upload file  
upload -File local_file.txt -RemotePath C:\temp\file.txt
```

#### Code Execution
```bash
# Execute .NET assembly
execute_assembly -Assembly malware.exe -Arguments "-flag value"

# Execute PowerShell
powershell -Command "Get-Process"

# Execute COFF object file
execute_coff -Coff object.x64.o -Function go
```

## 🔧 Commands Reference

### Core Commands

| Command | Syntax | Description |
|---------|--------|-------------|
| `bypass_defender` | `bypass_defender` | Bypass Windows Defender using BlueHammer exploit |
| `getsystem` | `getsystem` | Gain SYSTEM privileges using multiple techniques |
| `establish_persistence` | `establish_persistence` | Establish multiple persistence mechanisms |
| `assembly_inject` | `assembly_inject -PID [pid] -Assembly [assembly]` | Execute .NET assembly in remote process |
| `execute_assembly` | `execute_assembly -Assembly [assembly.exe]` | Execute registered .NET assembly |
| `execute_pe` | `execute_pe -PE [binary.exe]` | Execute statically compiled executable |

### File Operations

| Command | Syntax | Description |
|---------|--------|-------------|
| `download` | `download -Path [path]` | Download file from target system |
| `upload` | `upload -File [file] -RemotePath [path]` | Upload file to target system |
| `cat` | `cat -Path [file]` | Display file contents |
| `cp` | `cp -Path [source] -Destination [dest]` | Copy file |
| `mv` | `mv -Path [source] -Destination [dest]` | Move file |
| `rm` | `rm -Path [file]` | Remove file |

### System Operations

| Command | Syntax | Description |
|---------|--------|-------------|
| `shell` | `shell -Command "command"` | Execute shell command |
| `ps` | `ps` | List processes |
| `kill` | `kill -PID [pid]` | Kill process |
| `ls` | `ls -Path [dir]` | List directory contents |
| `cd` | `cd -Path [dir]` | Change directory |
| `pwd` | `pwd` | Print working directory |

### Network Operations

| Command | Syntax | Description |
|---------|--------|-------------|
| `ifconfig` | `ifconfig` | Get network adapters |
| `netstat` | `netstat` | Display network connections |
| `net_dclist` | `net_dclist` | List domain controllers |
| `net_shares` | `net_shares` | List network shares |

### Credential Operations

| Command | Syntax | Description |
|---------|--------|-------------|
| `mimikatz` | `mimikatz -Command "command"` | Execute Mimikatz commands |
| `dcsync` | `dcsync -Domain [domain]` | DCSync domain credentials |
| `make_token` | `make_token -Domain [domain] -User [user] -Password [pass]` | Create access token |
| `steal_token` | `steal_token -PID [pid]` | Steal token from process |

## 🛡️ Persistence Mechanisms

### Registry Persistence
- **HKCU**: `Software\Microsoft\Windows\CurrentVersion\Run`
- **HKLM**: `Software\Microsoft\Windows\CurrentVersion\Run`

### Service Persistence
- **Service Name**: `WinDefendUpdate`
- **Run As**: `LocalSystem`
- **Startup Type**: Automatic

### Scheduled Tasks
- **Task Name**: `WindowsDefenderMaintenance`
- **Schedule**: Hourly
- **Run As**: `SYSTEM`

### Startup Folder
- **Location**: `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`
- **File Name**: `WindowsDefenderUpdate.exe`

## 🔒 Security Features

### Encryption
- **AES256-CBC**: End-to-end encryption
- **HMAC-SHA256**: Message integrity verification
- **Key Rotation**: Configurable key rotation policies

### Evasion Techniques
- **Process Hollowing**: Advanced code injection
- **API Unhooking**: Bypass security hooks
- **Direct Syscalls**: Bypass user-mode hooks
- **Stack Spoofing**: Evade stack-based detection

## 📊 Mythic Integration

### C2 Communication
- **Check-in Interval**: Configurable (default: 10 seconds)
- **Jitter**: Percentage-based jitter (default: 23%)
- **Encryption**: AES256 with HMAC integrity
- **Proxy Support**: HTTP proxies and domain fronting

### Task Processing
- **Asynchronous Processing**: Non-blocking task execution
- **Result Reporting**: Comprehensive result reporting
- **Error Handling**: Robust error handling and recovery
- **Status Updates**: Real-time task status updates

## 🚨 Detection Evasion

Ares employs multiple techniques to evade detection:

### Behavioral Evasion
- Legitimate process names
- Windows Defender-related service names
- Temp directory operation
- Fileless execution where possible

### Technical Evasion
- API unhooking
- Direct system calls
- Stack spoofing
- Process hollowing
- ETW patching

## ⚠️ Disclaimer

This tool is intended for:
- Authorized penetration testing
- Security research and education
- Red team operations with proper authorization

**Unauthorized use against systems you do not own or have explicit permission to test is illegal.**

## 🐛 Issues and Support

Report issues and feature requests:
- GitHub Issues: https://github.com/MythicAgents/Ares/issues
- Documentation: https://github.com/MythicAgents/Ares/wiki
- Community Support: Mythic Discord server

## 📄 License

This project is licensed under the MIT License. See the LICENSE file for details.

## 🙏 Credits

- **BlueHammer Researchers**: For the Windows Defender exploit
- **Mythic C2 Team**: For the excellent C2 framework
- **Security Researchers**: For ongoing research and techniques
- **Red Team Community**: For testing and feedback

## 🔗 Resources

- [Mythic C2 Documentation](https://github.com/its-a-feature/Mythic/)
- [BlueHammer Research](https://github.com/bluehammer)
- [Windows Security Research](https://github.com/topics/windows-security)

---

**Ares Team** | Advanced Red Team Operations | 2026