Skip to content

mazen91111/GhostWrite

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ghostwrite.go
ghostwrite.go
 
 
go.mod
go.mod
 
 

Repository files navigation

GhostWrite — Fileless Persistence Engine

  ╔══════════════════════════════════════════════════════════════════╗
  ║       GhostWrite — Fileless Persistence Engine (Go)            ║
  ║   ADS · WMI · COM Hijack · Registry · Scheduled Tasks         ║
  ║      Author: mazen91111 (parasite911)  ·  Red Team Research    ║
  ╚══════════════════════════════════════════════════════════════════╝

7 fileless persistence techniques that survive reboot without writing a single file to disk. Pure Go implementation — research framework for understanding how modern malware persists.

Techniques

# Technique MITRE ID Stealth Admin Required
1 NTFS Alternate Data Streams (ADS) T1564.004 9/10 No
2 WMI Event Subscription T1546.003 8/10 No
3 COM Object Hijacking T1546.015 9/10 No
4 Registry Run Key Payload T1547.001 5/10 No
5 Scheduled Task (COM Handler) T1053.005 7/10 No
6 Service DLL (svchost) T1543.003 8/10 Yes
7 Environment Variable DLL Injection T1574.007 8/10 No

Installation

git clone https://github.com/mazen91111/GhostWrite.git
cd GhostWrite
go build -o ghostwrite ghostwrite.go

Usage

# Full persistence techniques report
./ghostwrite --demo

# Stealth comparison matrix
./ghostwrite --matrix

# Detection coverage analysis
./ghostwrite --detect

Example Output

  [*] Analyzing 7 fileless persistence techniques...

  ┃ #1  NTFS Alternate Data Streams (ADS)
  ┃ MITRE: T1564.004  │  Fingerprint: a3f7c92e
  ┃ Hide payload in ADS of existing file — invisible to dir/explorer
  ┃ Stealth: [█████████░] 9/10
  ┃ Survival: Survives reboot, hidden from normal file listing

  [ STEALTH MATRIX ]
  Technique                            Stealth   Admin  MITRE
  NTFS Alternate Data Streams (ADS)    [█████████░] No   T1564.004
  WMI Event Subscription               [████████░░] No   T1546.003
  COM Object Hijacking                  [█████████░] No   T1546.015
  Service DLL (svchost)                 [████████░░] Yes  T1543.003

  [ DETECTION COVERAGE ]
    Autoruns             [███░░░░] 3/7 techniques
    Sysmon               [██░░░░░] 2/7 techniques
    Forensic Scanner     [██░░░░░] 2/7 techniques

Key Concepts

  • Fileless = payload lives in registry, WMI repo, ADS, or environment — never as a standalone file
  • COM Hijacking = HKCU CLSID overrides HKLM — no admin rights needed
  • WMI Persistence = permanent event subscriptions survive across reboots
  • ADS = NTFS metadata streams invisible to standard directory listing
  • COR_PROFILER = forces DLL load into every .NET process system-wide

Author

Mazen Obed@mazen91111 Fileless Malware | Persistence Mechanisms | Red Team

Disclaimer

For authorized security research ONLY. Use only on systems you own or have explicit authorization to test.

License

MIT License

About

Fileless Persistence Engine -- 7 techniques that survive reboot without writing a single file to disk. Pure Go.

Topics

golang persistence wmi red-team mitre-attack windows-security com-hijacking fileless-malware

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages