Ares-mythic/ARES_README.md

Ares BlueHammer Agent

A sophisticated Mythic agent that integrates the BlueHammer Windows Defender exploit to bypass security controls, gain SYSTEM privileges, and establish persistent access.

🚀 Features

Core Capabilities

• Windows Defender Bypass: Leverages BlueHammer exploit to disable Defender protections
• SYSTEM Privilege Escalation: Multiple techniques to gain NT Authority\SYSTEM privileges
• Persistence Mechanisms: Comprehensive persistence across multiple vectors
• Mythic C2 Integration: Full command and control capabilities

Exploit Integration

• BlueHammer Integration: Direct integration with Windows Defender RPC vulnerability
• VSS Manipulation: Volume Shadow Copy exploitation for file access
• Protected File Access: Bypasses file protection mechanisms

Persistence Methods

• Registry Persistence: HKCU and HKLM Run keys
• Service Installation: Windows service running as SYSTEM
• Scheduled Tasks: Hourly execution as SYSTEM
• WMI Event Subscriptions: Event-based execution triggers
• Startup Folder: User startup directory placement

📋 Requirements

• Python 3.8+
• PyInstaller (for building)
• Windows target system
• Mythic C2 server

🛠️ Installation & Building

1. Build the Agent

python build.py

2. Deploy the Agent

python deploy.py

3. Execute on Target

Copy AresAgent.exe to target system and execute:

AresAgent.exe

🎯 Usage

The agent automatically performs the following sequence:

1. Defender Bypass: Executes BlueHammer to disable Windows Defender
2. Privilege Escalation: Gains SYSTEM privileges using multiple techniques
3. Persistence Setup: Establishes multiple persistence mechanisms
4. C2 Connection: Connects to Mythic server for command and control

Manual Commands

You can also execute specific functions manually:

# Bypass Windows Defender
agent.bypass_defender()

# Gain SYSTEM privileges  
agent.gain_system_privileges()

# Establish persistence
agent.establish_persistence()

🔧 Configuration

Edit hammer_agent_config.json to configure:

{
    "mythic_server": "http://your-mythic-server.com:7443",
    "api_key": "your-api-key-here", 
    "checkin_interval": 30,
    "temp_directory": "C:\\Windows\\Temp"
}

🛡️ Persistence Mechanisms

1. Registry Persistence

• HKCU: Software\Microsoft\Windows\CurrentVersion\Run
• HKLM: Software\Microsoft\Windows\CurrentVersion\Run

2. Service Installation

• Service Name: WinDefendUpdate
• Run As: LocalSystem
• Startup: Automatic

3. Scheduled Tasks

• Task Name: WindowsDefenderMaintenance
• Schedule: Hourly
• Run As: SYSTEM

4. WMI Event Subscriptions

• Event-based execution triggers
• System event subscriptions

5. Startup Folder

• User startup directory
• Hidden executable

📊 Mythic Integration

Supported Commands

• bypass_defender - Execute BlueHammer exploit
• escalate_privileges - Gain SYSTEM privileges
• establish_persistence - Set up persistence
• execute_command - Execute system commands

C2 Communication

• Regular check-ins every 30 seconds
• Encrypted communication
• Task-based execution model

🔍 Detection Evasion

• Fileless Execution: Memory-based operation where possible
• Hidden Files: Attributes set to hidden
• Temp Directory: Execution from temporary locations
• Legitimate Names: Uses Windows Defender-related names

⚠️ Disclaimer

This tool is for educational and authorized penetration testing purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.

🐛 Issues

Report issues and feature requests in the project repository.

📄 License

This project is licensed under the MIT License - see LICENSE file for details.

🙏 Credits

• BlueHammer exploit researchers
• Mythic C2 framework team
• Windows security researchers

---

Ares Team | Advanced Red Team Operations