# Ares BlueHammer Agent A sophisticated Mythic agent that integrates the BlueHammer Windows Defender exploit to bypass security controls, gain SYSTEM privileges, and establish persistent access. ## 🚀 Features ### Core Capabilities - **Windows Defender Bypass**: Leverages BlueHammer exploit to disable Defender protections - **SYSTEM Privilege Escalation**: Multiple techniques to gain NT Authority\SYSTEM privileges - **Persistence Mechanisms**: Comprehensive persistence across multiple vectors - **Mythic C2 Integration**: Full command and control capabilities ### Exploit Integration - **BlueHammer Integration**: Direct integration with Windows Defender RPC vulnerability - **VSS Manipulation**: Volume Shadow Copy exploitation for file access - **Protected File Access**: Bypasses file protection mechanisms ### Persistence Methods - **Registry Persistence**: HKCU and HKLM Run keys - **Service Installation**: Windows service running as SYSTEM - **Scheduled Tasks**: Hourly execution as SYSTEM - **WMI Event Subscriptions**: Event-based execution triggers - **Startup Folder**: User startup directory placement ## 📋 Requirements - Python 3.8+ - PyInstaller (for building) - Windows target system - Mythic C2 server ## 🛠️ Installation & Building ### 1. Build the Agent ```bash python build.py ``` ### 2. Deploy the Agent ```bash python deploy.py ``` ### 3. Execute on Target Copy `AresAgent.exe` to target system and execute: ```cmd AresAgent.exe ``` ## 🎯 Usage The agent automatically performs the following sequence: 1. **Defender Bypass**: Executes BlueHammer to disable Windows Defender 2. **Privilege Escalation**: Gains SYSTEM privileges using multiple techniques 3. **Persistence Setup**: Establishes multiple persistence mechanisms 4. **C2 Connection**: Connects to Mythic server for command and control ### Manual Commands You can also execute specific functions manually: ```python # Bypass Windows Defender agent.bypass_defender() # Gain SYSTEM privileges agent.gain_system_privileges() # Establish persistence agent.establish_persistence() ``` ## 🔧 Configuration Edit `hammer_agent_config.json` to configure: ```json { "mythic_server": "http://your-mythic-server.com:7443", "api_key": "your-api-key-here", "checkin_interval": 30, "temp_directory": "C:\\Windows\\Temp" } ``` ## 🛡️ Persistence Mechanisms ### 1. Registry Persistence - **HKCU**: `Software\Microsoft\Windows\CurrentVersion\Run` - **HKLM**: `Software\Microsoft\Windows\CurrentVersion\Run` ### 2. Service Installation - **Service Name**: `WinDefendUpdate` - **Run As**: `LocalSystem` - **Startup**: Automatic ### 3. Scheduled Tasks - **Task Name**: `WindowsDefenderMaintenance` - **Schedule**: Hourly - **Run As**: `SYSTEM` ### 4. WMI Event Subscriptions - Event-based execution triggers - System event subscriptions ### 5. Startup Folder - User startup directory - Hidden executable ## 📊 Mythic Integration ### Supported Commands - `bypass_defender` - Execute BlueHammer exploit - `escalate_privileges` - Gain SYSTEM privileges - `establish_persistence` - Set up persistence - `execute_command` - Execute system commands ### C2 Communication - Regular check-ins every 30 seconds - Encrypted communication - Task-based execution model ## 🔍 Detection Evasion - **Fileless Execution**: Memory-based operation where possible - **Hidden Files**: Attributes set to hidden - **Temp Directory**: Execution from temporary locations - **Legitimate Names**: Uses Windows Defender-related names ## ⚠️ Disclaimer This tool is for educational and authorized penetration testing purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. ## 🐛 Issues Report issues and feature requests in the project repository. ## 📄 License This project is licensed under the MIT License - see LICENSE file for details. ## 🙏 Credits - BlueHammer exploit researchers - Mythic C2 framework team - Windows security researchers --- **Ares Team** | Advanced Red Team Operations