GhostTree shows how NTFS junctions can be abused by any user to create recursive directory loops that make folder scans hang and leave malicious files unexamined. The technique was tested against Windows Defender and reported to Microsoft, highlighting how recursive file-system structures can evade endpoint scanning. #GhostTree #GhostBranch #NTFS #WindowsDefender #Microsoft #Varonis
Keypoints
- Any user can create NTFS junctions with only write access.
- GhostBranch uses a junction that points back to its parent directory.
- GhostTree expands the idea with multiple looping child folders.
- Recursive paths can overwhelm directory scans and EDR products.
- Microsoft was notified, and the issue was later patched.