Ares-mythic/ARES_README.md

# Ares BlueHammer Agent

A sophisticated Mythic agent that integrates the BlueHammer Windows Defender exploit to bypass security controls, gain SYSTEM privileges, and establish persistent access.

## 🚀 Features

### Core Capabilities
- **Windows Defender Bypass**: Leverages BlueHammer exploit to disable Defender protections
- **SYSTEM Privilege Escalation**: Multiple techniques to gain NT Authority\SYSTEM privileges
- **Persistence Mechanisms**: Comprehensive persistence across multiple vectors
- **Mythic C2 Integration**: Full command and control capabilities

### Exploit Integration
- **BlueHammer Integration**: Direct integration with Windows Defender RPC vulnerability
- **VSS Manipulation**: Volume Shadow Copy exploitation for file access
- **Protected File Access**: Bypasses file protection mechanisms

### Persistence Methods
- **Registry Persistence**: HKCU and HKLM Run keys
- **Service Installation**: Windows service running as SYSTEM
- **Scheduled Tasks**: Hourly execution as SYSTEM
- **WMI Event Subscriptions**: Event-based execution triggers
- **Startup Folder**: User startup directory placement

## 📋 Requirements

- Python 3.8+
- PyInstaller (for building)
- Windows target system
- Mythic C2 server

## 🛠️ Installation & Building

### 1. Build the Agent
```bash
python build.py
```

### 2. Deploy the Agent
```bash
python deploy.py
```

### 3. Execute on Target
Copy `AresAgent.exe` to target system and execute:
```cmd
AresAgent.exe
```

## 🎯 Usage

The agent automatically performs the following sequence:

1. **Defender Bypass**: Executes BlueHammer to disable Windows Defender
2. **Privilege Escalation**: Gains SYSTEM privileges using multiple techniques
3. **Persistence Setup**: Establishes multiple persistence mechanisms
4. **C2 Connection**: Connects to Mythic server for command and control

### Manual Commands

You can also execute specific functions manually:

```python
# Bypass Windows Defender
agent.bypass_defender()

# Gain SYSTEM privileges  
agent.gain_system_privileges()

# Establish persistence
agent.establish_persistence()
```

## 🔧 Configuration

Edit `hammer_agent_config.json` to configure:

```json
{
    "mythic_server": "http://your-mythic-server.com:7443",
    "api_key": "your-api-key-here", 
    "checkin_interval": 30,
    "temp_directory": "C:\\Windows\\Temp"
}
```

## 🛡️ Persistence Mechanisms

### 1. Registry Persistence
- **HKCU**: `Software\Microsoft\Windows\CurrentVersion\Run`
- **HKLM**: `Software\Microsoft\Windows\CurrentVersion\Run`

### 2. Service Installation
- **Service Name**: `WinDefendUpdate`
- **Run As**: `LocalSystem`
- **Startup**: Automatic

### 3. Scheduled Tasks
- **Task Name**: `WindowsDefenderMaintenance`
- **Schedule**: Hourly
- **Run As**: `SYSTEM`

### 4. WMI Event Subscriptions
- Event-based execution triggers
- System event subscriptions

### 5. Startup Folder
- User startup directory
- Hidden executable

## 📊 Mythic Integration

### Supported Commands
- `bypass_defender` - Execute BlueHammer exploit
- `escalate_privileges` - Gain SYSTEM privileges
- `establish_persistence` - Set up persistence
- `execute_command` - Execute system commands

### C2 Communication
- Regular check-ins every 30 seconds
- Encrypted communication
- Task-based execution model

## 🔍 Detection Evasion

- **Fileless Execution**: Memory-based operation where possible
- **Hidden Files**: Attributes set to hidden
- **Temp Directory**: Execution from temporary locations
- **Legitimate Names**: Uses Windows Defender-related names

## ⚠️ Disclaimer

This tool is for educational and authorized penetration testing purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.

## 🐛 Issues

Report issues and feature requests in the project repository.

## 📄 License

This project is licensed under the MIT License - see LICENSE file for details.

## 🙏 Credits

- BlueHammer exploit researchers
- Mythic C2 framework team
- Windows security researchers

---

**Ares Team** | Advanced Red Team Operations