Researchers have discovered an attack technique called GhostTree that abuses NTFS junctions and symbolic links to hide malware from security products by creating recursive directory structures. Since any user can create junctions without administrative privileges, an attacker can point a child folder back to its parent folder, generating logically infinite and valid file paths that cause security scanners to hang indefinitely. GhostTree builds on the GhostBranch concept by creating multiple child folders, branching into a binary tree-like structure that produces approximately 2^126 possible paths.
This effectively bypasses recursive folder scans, as demonstrated against Windows Defender, leaving malicious files in the parent directory unexamined. The maximum traditional Windows path length of 260 characters limits depth to roughly 126 folders, but the path diversity enabled by multiple child folders prevents scans from completing. Microsoft closed the initial report stating that bypassing Defender does not cross a security boundary but subsequently patched the issue regardless.
Security teams should monitor for anomalous junction creation and recursive directory structures that should not exist in normal operations, as endpoint scanning alone is insufficient. The technique requires only write permissions to the target folder and a simple command-line operation. Organizations are advised to implement file system activity monitoring at the data layer to catch what scanners miss. The attack highlights that while NTFS features serve legitimate purposes, they can be weaponized to evade detection tools. The security community recommends treating GhostTree as a reminder that comprehensive defense requires multiple layers beyond traditional endpoint scanning.
Read more...