╔══════════════════════════════════════════════════════════════════╗ ║ GhostWrite — Fileless Persistence Engine (Go) ║ ║ ADS · WMI · COM Hijack · Registry · Scheduled Tasks ║ ║ Author: mazen91111 (parasite911) · Red Team Research ║ ╚══════════════════════════════════════════════════════════════════╝ 7 fileless persistence techniques that survive reboot without writing a single file to disk. Pure Go implementation — research framework for understanding how modern malware persists.
| # | Technique | MITRE ID | Stealth | Admin Required |
|---|---|---|---|---|
| 1 | NTFS Alternate Data Streams (ADS) | T1564.004 | 9/10 | No |
| 2 | WMI Event Subscription | T1546.003 | 8/10 | No |
| 3 | COM Object Hijacking | T1546.015 | 9/10 | No |
| 4 | Registry Run Key Payload | T1547.001 | 5/10 | No |
| 5 | Scheduled Task (COM Handler) | T1053.005 | 7/10 | No |
| 6 | Service DLL (svchost) | T1543.003 | 8/10 | Yes |
| 7 | Environment Variable DLL Injection | T1574.007 | 8/10 | No |
git clone https://github.com/mazen91111/GhostWrite.git cd GhostWrite go build -o ghostwrite ghostwrite.go# Full persistence techniques report ./ghostwrite --demo # Stealth comparison matrix ./ghostwrite --matrix # Detection coverage analysis ./ghostwrite --detect [*] Analyzing 7 fileless persistence techniques... ┃ #1 NTFS Alternate Data Streams (ADS) ┃ MITRE: T1564.004 │ Fingerprint: a3f7c92e ┃ Hide payload in ADS of existing file — invisible to dir/explorer ┃ Stealth: [█████████░] 9/10 ┃ Survival: Survives reboot, hidden from normal file listing [ STEALTH MATRIX ] Technique Stealth Admin MITRE NTFS Alternate Data Streams (ADS) [█████████░] No T1564.004 WMI Event Subscription [████████░░] No T1546.003 COM Object Hijacking [█████████░] No T1546.015 Service DLL (svchost) [████████░░] Yes T1543.003 [ DETECTION COVERAGE ] Autoruns [███░░░░] 3/7 techniques Sysmon [██░░░░░] 2/7 techniques Forensic Scanner [██░░░░░] 2/7 techniques - Fileless = payload lives in registry, WMI repo, ADS, or environment — never as a standalone file
- COM Hijacking = HKCU CLSID overrides HKLM — no admin rights needed
- WMI Persistence = permanent event subscriptions survive across reboots
- ADS = NTFS metadata streams invisible to standard directory listing
- COR_PROFILER = forces DLL load into every .NET process system-wide
Mazen Obed — @mazen91111 Fileless Malware | Persistence Mechanisms | Red Team
For authorized security research ONLY. Use only on systems you own or have explicit authorization to test.
MIT License