GhostLock is a proof-of-concept tool that abuses the Windows CreateFileW API and SMB file-sharing behavior to block access to files by opening them in exclusive mode. The technique can be run by standard domain users, causes sharing violations without encrypting or deleting data, and may be used to distract defenders while other intrusions continue. #GhostLock #CreateFileW #SMB
Keypoints
- GhostLock abuses the Windows CreateFileW API to lock files from other users and applications.
- The attack works on local files and files stored on SMB network shares.
- It uses dwShareMode = 0 to create exclusive access and trigger sharing violations.
- Standard domain users can run the tool without elevated privileges.
- Defenders can detect it using per-session open-file counts and storage-layer telemetry.