Skip to content
.ca
sign in
4 minmedium

GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security

Varonis Threat Labs discovered 'GhostTree,' an evasion technique leveraging NTFS junctions to create recursive directory loops. By pointing multiple child junctions back to a parent directory, attackers can generate an exponentially large number of file paths, causing EDR and AV recursive scanners to hang and allowing malware to remain undetected.

Conf:highAnalyzed:2026-05-19Google

Authors: Varonis Threat Labs

Defense EvasionGhostTreePath ManipulationNTFS Junctions

Source:Varonis

Detection / HunterGoogle

What Happened

Security researchers have found a new trick called 'GhostTree' that attackers can use to hide malicious files on Windows computers. By creating special folder shortcuts that loop back on themselves, attackers can create millions of fake file paths. When security software tries to scan these folders, it gets stuck in an endless loop and fails to find the hidden malware. This matters because it allows threats to bypass standard antivirus scans. Organizations should ensure their systems are updated and monitor for unusual folder shortcut creations to spot this activity.

Key Takeaways

  • Attackers can use NTFS junctions to create recursive directory loops without requiring administrative privileges.
  • The 'GhostTree' technique creates a binary tree of paths, generating up to 2^126 valid paths to a single file.
  • This technique causes recursive directory scanners, including EDRs and AVs like Windows Defender, to hang or fail, effectively hiding malware.
  • Microsoft reportedly patched this specific issue, though they initially stated it did not cross a security boundary.

Affected Systems

  • Windows (NTFS File System)

Attack Chain

An attacker with standard user write permissions drops malware into a directory. They then use the Windows 'mklink' command to create multiple NTFS junctions within that directory that point back to the parent, creating a recursive loop known as GhostTree. When an EDR or AV attempts to recursively scan the directory, it gets caught in the exponentially large path structure and hangs. This allows the malware to execute or persist without being successfully analyzed by the security tool.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but recommends monitoring file system activity at the data layer for anomalous junction creation.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs will log the command-line execution of mklink, but their file scanning components may be blinded or hang when encountering the recursive junctions. Network Visibility: None — This is a purely local file system manipulation technique with no network footprint. Detection Difficulty: Moderate — Detecting mklink usage is straightforward, but distinguishing malicious recursive junctions from legitimate developer or system junctions requires baseline knowledge of the environment.

Required Log Sources

  • Windows Security Event 4688 (Process Creation)
  • Sysmon Event 1 (Process Creation)
  • Sysmon Event 11 (FileCreate)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for standard users executing 'mklink /J' where the target directory is a parent of the link directory, indicating a potential recursive loop.Process creation logs (Event ID 4688 or Sysmon Event 1) capturing command-line arguments.Defense EvasionLow to Medium, as recursive junctions are rarely created legitimately, though some development environments might use complex symlinks.

Control Gaps

  • Recursive file scanners (AV/EDR) lacking loop detection or path depth limits.

Key Behavioral Indicators

  • Execution of mklink.exe with the /J switch
  • Creation of directory junctions pointing to their own parent or grandparent directories

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Evaluate EDR and AV configurations to ensure they have safeguards against infinite directory loops or maximum path depth limits.

Infrastructure Hardening

  • Consider restricting the ability to create junctions or symlinks for non-administrative users if not strictly required for business operations.

User Protection

  • Ensure endpoints are updated with the latest Windows patches, as Microsoft reportedly patched this specific evasion behavior.

Security Awareness

  • Educate SOC analysts on the potential for file system manipulation techniques like GhostTree to blind automated scanning tools.

MITRE ATT&CK Mapping

  • T1564.004 - Hiding Artifacts: NTFS File Attributes
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Additional IOCs

  • Command Lines:
    • Purpose: Create an NTFS directory junction to build recursive path loops | Tools: mklink, cmd.exe | Stage: Defense Evasion | mklink /J

Related